WordPress is the most popular content management system in the world. It powers 43% of all websites on the Internet. And due to its popularity, it is a popular target for hackers. According to a 2018 Sucuri report, 90% of all CMS-based websites cleaned by it during that year were WordPress websites.

No WordPress user can afford to take the security of their website lightly. As you probably already know, the login page to your WordPress dashboard is the first line of defense against bad actors. If somebody were to gain access to your WordPress site, they could do a lot of malicious stuff. They could infect your site with malware/adware/spyware, make it redirect to an unsafe site, install cryptocurrency mining software on it, and so on.

While having a super strong password can make it hard for hackers to break into your site, a WordPress username that is difficult to guess makes it doubly hard for them to do so. If you aren’t happy with your current username, I’ll show you how you can change WordPress username in simple steps in this article, covering three methods to do so. Later in the article, I’ll explain why having a complex username isn’t enough for security, but it doesn’t hurt to have one anyway.

TL;DR: Whatever your reason for changing your WordPress username might be, know that changing it is not an effective way to boost your website’s security. Use MalCare to secure your site. With features such as daily automatic malware scanning, one-click malware removal, a state-of-the-art integrated firewall, IP address blocking, real-time security alerts, and more, MalCare is the best security solution out there for WordPress websites.

WordPress username requirements

Your username is publicly visible. Anyone can find out what your username is by hovering over your display name (which leads to a page containing all the posts written by you) on a post and looking at the URL. The URL should be like https://example.com/author/nameoftheauthor/. Hence, choose a username that you’re comfortable showing to others.

When you install WordPress for the first time on your site, it gives you the username ‘admin’ by default and provides you the option to change it. Change your WordPress username immediately during the setup itself. WordPress doesn’t recommend having ‘admin’ as a username because it’s the default and, therefore, easy to guess, in addition to the following:

• adm
• admin
• admin1
• hostname
• manager
• qwerty
• root
• support
• sysadmin
• test
• user

How to change WordPress username properly?

There are three main ways to change your WordPress username:

1. Create a new user to use as your default WordPress account;
2. Use a plugin; or
3. Use phpMyAdmin.

Before proceeding to change username in WordPress, however, I recommend backing up your site. You’re making an administrator-level change after all, and there is a chance that you can lock yourself out of your account. Having a backup means you can restore access to your site should that happen.

Change WordPress username by creating a new user

WordPress doesn’t give you the option to change your WordPress username directly, unlike most websites. One workaround to this problem is to create a new user with the username you desire, transfer all your content to it, and then delete your existing account. The effect is the same as changing your WordPress username directly from the dashboard if that was allowed. Let’s get started.

1. Go to Users > Add New from your WordPress dashboard.

2. Fill in your details on the next page. Just make sure to use a different email address from the one you used to create your existing WordPress account, otherwise, you’ll get an error saying the email address is already registered. Also, make sure to assign this new user the Administrator role so that you’ll get the same admin privileges you have with your existing account.

3. Click on Add New User at the bottom to finish adding this user.
4. Log out of your existing account, then log in with the new user account you just created.
5. Go to the Users > All Users page and click on Delete underneath your old admin account.

6. On the confirmation page, WordPress will ask you what you wish to do with the content belonging to your old account. Select ​​Attribute all content to, then choose the new account you created from the drop-down menu.

7. Click on Confirm Deletion to finish deleting your old account. WordPress will delete that account and take you back to the All Users page with the message ‘User deleted.’

That’s it! You’ve successfully changed your WordPress username. If you wish to use the same email address as before, then head on over to Users > Profile to change it.

Change your WordPress username using a plugin

If you’d rather have to change your WordPress username automatically, use a plugin. For this article, I’ll be using the excellent Easy Username Updater plugin. As the name suggests, it’s easy to use. Here are the steps:

1. Install and activate the Easy Username Updater plugin. You’ll see a new button called ‘Username Updater’ under the Users menu. Click on it.

2. You’ll see a list of all users of your WordPress site on the next screen, along with their email addresses, roles, and User IDs. Click on update for the user for which you want to change WordPress username. We’ll be changing the username ‘srikant’ to ‘wordpress_wizard.’

3. On the next screen, enter your new username, check the box to send yourself an email notification about the username change if you desire, and then click on Update Username.

With that, you’ve successfully changed your WordPress username. If you now go to the All Users page, you’ll see your new username for your account. You can uninstall the plugin now if you want to.

Change WordPress username in phpMyAdmin

This method is a little more complicated than the two methods I’ve explained so far, as it requires you to make direct changes to your database. It is risky. If you make the wrong changes, you might cause errors on your site or even lose access to it. Proceed with caution and follow the steps carefully. You should only use this method as a last resort. If you haven’t backed your site yet, this is a good time to do so. 

You might be asking, “What is phpMyAdmin?” Well, it’s a program that provides a web-based interface for site owners/administrators to manage their MySQL databases. Your WordPress database stores critical data about your site including, you guessed it, your username. We’ll be changing the username directly in the database using phpMyAdmin.

Most web hosts will automatically install phpMyAdmin alongside WordPress when you sign up. If your host didn’t, then you would have to install it yourself on your website’s server. Look up the instructions pertaining to your web host online.

The following instructions will largely apply to all web hosts, but I’ll be using Bluehost for this example.

1. Click on Advanced > phpMyAdmin from the Bluehost dashboard. This will launch phpMyAdmin in a new tab.

2. Select your WordPress database from the left-hand navigation menu, and then click on the wp_users table.

3. Click on Edit next to the username that you want to change. We’ll be changing ‘wordpress_wizard’ to ‘srikant.’

4. Replace your old username with the new one in the user_login field, then click on Go at the bottom.

With that, you’ve successfully changed your WordPress username in the database using phpMyAdmin.

Why you may want to change your WordPress username and how to pick a good one

Besides the slight boost to security, you may want to change username in WordPress because you feel like it’s time for a change, or you want to hand over the reins of your website to another person. Regardless of your reason, choose your username wisely. Here are some tips on how to pick a good username:

• Make it hard to guess. I’ve explained why earlier in the article.
• Choose something memorable and which makes sense to you.
• Avoid basing it on personal information as such usernames can be relatively easier to guess unless it’s created like a passphrase (explained below).
• Create your username in the style of a passphrase. A passphrase is essentially a strong password – utilizing a mix of letters, numbers, and special characters – which makes no sense to anyone but you. Yes, unlike other strong passwords, passphrases actually make sense. Let me explain with an example. Let’s say your favorite movie of all time is Inception. This is a fact about you that you’ll probably never forget. Inception starred Leonardo DiCaprio in the leading role and was directed by Christopher Nolan.
  
  
  With all this information, you can make the following sentence: “Starring Leonardo DiCaprio and directed by Christopher Nolan, Inception is my favorite movie of all time.” If you now take the first letter of each word as is, you have the following phrase: ‘SLDCadbCNIimfmoat’. Voila! You now have a fairly strong password. You can make it even stronger by substituting certain letters with special characters that look like them, so an ‘S’ becomes ‘$’, a ‘b’ becomes ‘6’, and so on. With such substitutions, we get the following phrase: ‘$LDC&d6CN1imfm0@t’. We can agree that is a very strong password and one that makes sense to you.

Recommended Read: WordPress password security guide

Does the WordPress username really matter?

In a nutshell, no, it doesn’t. You’ll see it mentioned in WordPress security articles because of the existence of brute force attacks. 

Brute force attacks are one of the most popular ways hackers can gain access to your site. Hackers use trial and error to guess your login information. They use bots that try all possible combinations of letters, numbers, and special characters, hoping to land on one that would let them through. As you can imagine, such a hacking attempt isn’t computationally efficient. Unfortunately, there are tons of weak passwords floating around on the Web, and hackers use databases of such weak passwords for their hacking attempts. Even if a hacker is able to gain access to 1 out of every 100 accounts they try to hack, their job is done. 

The reason that changing the default username is an ineffective shield against brute force attacks is that there are several ways to figure out usernames on WordPress. If there is a blog, a hacker can make an educated guess. Additionally, WordPress allows the use of email addresses to log in. Ultimately, the best form of defense against login-cracking bots is an advanced firewall with bot protection and limiting login attempts, both of which are available with MalCare.

How to actually enhance your WordPress site’s security

While changing your username to something more complex can enhance your WordPress security a bit, note that if you forget it, you’ll have to dig into the database to retrieve it. It’s why we recommend using a password manager like 1Password, Dashlane, or LastPass. You can safely store any login credentials in the cloud with these, and nobody—not even the company behind the password manager—will be able to discover them since they’ll be encrypted.

Also, changing your WordPress username to something much harder to guess may not be enough to thwart brute force attacks. There might be several hundreds of bots working in parallel to crack usernames and passwords. We provide some tips below on how to boost your site’s security significantly.

Install a WordPress firewall

You need a quality firewall with bot protection. Firewalls block malicious IPs from reaching your site altogether. Bot protection analyzes bot behavior to keep out the bad ones. MalCare has a firewall with both bot and global IP protection.

Limit login attempts

Additionally, you should limit login attempts to your site to prevent these sorts of attacks. With MalCare, users are locked out after a certain number of unsuccessful login attempts. If there is a real human who is trying to log into the site, they can solve a simple captcha to circumvent the block. Bots, on the other hand, are locked out for a considerable amount of time, severely impacting their effectiveness.

Use two-factor authentication

Two-factor authentication, or 2FA for short, adds a layer of security for logins. Here’s how it works in a nutshell: after you log in to an app or website using your login credentials, you’ll have to enter a temporary secret code that only you know so that the app or website can verify that it’s actually you who’s logging in, and not anyone else. You can either have the secret code delivered to you via text message or use a 3rd-party app like Google Authenticator. Check out our guide on how to enable 2FA in WordPress.

Install a comprehensive WordPress security solution

The best way to secure your WordPress site is to use MalCare. MalCare will scan your site daily for malware and comes with a cutting-edge firewall with global IP protection. Additionally, if your site gets infected, you can remove all malware from it with one button click.

Conclusion

Having a username that is difficult to guess makes brute force attacks against your website a little harder. Hence, use a strong username for accessing your WordPress dashboard. Having said that, a strong username and password combination may not be enough to thwart hacking attempts. Use MalCare to secure your site and obtain peace of mind.

FAQs

Q – How can I change my WordPress username?

A – There are three main ways to change your WordPress username: create a new user and delete the old one, use a plugin, or use phpMyAdmin.

Q – Should I even care about my WordPress username?

A – Having a strong WordPress username is useful for improving your website’s security, even if slightly. At the very least, it can make brute force attacks harder to succeed.

Q – What is a good plugin that can change WordPress username?

A – The Easy Username Updater plugin is a good one. It’s pretty easy to use.

Q – What is a valid username for WordPress?

A – A valid WordPress username is one that only has alphanumeric characters (letters and numbers), spaces, and/or certain special characters, namely spaces, underscores, hyphens, periods, and @ symbols. No other special characters are allowed.

Q – How can hackers get a WordPress username?

A – Anyone can see your username since it’s public. Hackers usually have access to databases listing the most common usernames and passwords. So, make sure to choose an obscure username.

Q – What characters are allowed in a WordPress username?

The following are allowed in a WordPress username:

• Alphanumeric characters (letters and numbers)
• Spaces
• Underscores
• Hyphens
• Periods
• The @ symbol

Q – Can a WordPress username have spaces?

A – Yes, it can.

Q – Why can’t I change my WordPress username?

A – WordPress doesn’t allow anyone to change their username from the dashboard. However, there exist methods to do so, and we’ve discussed those in the article.

Q – How do I know what my WordPress username is?

A – You can find out your username from your WordPress dashboard by going to Users > Profile. Your username will be displayed under the Name section.

Q – How can I secure my WordPress website?

Use MalCare. It’s a state-of-the-art anti-malware tool for WordPress websites.