Morten Rand-Hendriksen seems to think that changing your username from admin will solve everything.
Problem: “admin” is still the default user name
Solution: “admin” shouldn’t be an option
If you think of it that way… then it is the solution to the exact problem “Admin is the default username”, but it is not the solution to not getting your site brute forced.
Use admin if you want, don’t use admin… it probably doesn’t matter. People will just end up using their site name as their username, or they will use the username that they use everywhere else on the internet. Their author username is usually exposed on the site anyway as the post author. If they are posting as admin, then it is pretty bleeding obvious that their main account is called `admin`. If they are posting as `bob`, you can be pretty sure that the main account is called `bob`. You can even click to find out what their username is. For example, the post on Morten’s page says that the author’s name is `Morten Rand-Hendriksen`, you click that and you find out his username is `mor10-2`. That was easy, and it (and the other user accounts) can be found out automatically by using WPScan, which can then try to brute force the site using the usernames that were found.
A better solution (since we are talking about brute forcing) is to use a crazy long password for your admin account. Make sure it is not in the common word list, and even better would be to make it fully random and use a password manager (which is password protected of course) to remember the 64 character long string that is your password.
Also for brute force protection, use something like login lockdown to lock access to your account after a couple of tries. This will severely hamper the brute force effort.
This check uses mellt to see how long it would take to brute force your password at 1000000000 attempts per second. The code is freely available on github if you don’t want to type your password into some stranger’s site (I fully understand your paranoia).
To wrap up:
- Don’t use a common password
- Make sure your password is long
- If your password is hard to remember, use a password manager
- Make sure you at least throttle login attempts (there are lots of wordpress plugins to do this)
- Don’t worry about using the admin user account name (though it isn’t very personal)