Shouldn't we change admin user id from "1" to another number? Hackers know this.
-
I use and very much like AIO Security. But I’ve realized a new threat that your plugin doesn’t address and I’d like you opinion. I changed my administrator account from “admin” to something else with your plugin. But my Brute Force attackers figured it out right away. I could not figure out why until I read this article.
Since the admin user id is “1”, it’s a quick step for them to figure out my admin username.
By default the ID of the built-in WordPress administrator account is 1. Therefore unless you change the ID of the WordPress administrator to a higher random number, anyone can use the URL below to identify the WordPress administrator username, irrelevant of the WordPress permalinks configured on your WordPress.
http://www.samplesite.com/?author=1
If the WordPress administrator ID is still set to 1 the user will be redirected to the below URL, where the new username is shown at the end of the URL. For example in the below URL, the username is superadmin.
It is recommended to change the user id from 1 to some considerably higher number.
So my question is what does the author of AIO Security think about this, and why is such a function not implemented in the plugin? Supposedly the plugin Better WP Security does this.
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
The topic ‘Shouldn't we change admin user id from "1" to another number? Hackers know this.’ is closed to new replies.
