Support » Fixing WordPress » Change the admin user name

  • Hi guys,

    we’re running wp 4.8.5. as a multisite with different login groups through UAM plugin. Some “hacker” got the admin user name by adding ?author=1 to the site url. With that one they try to invade our page from Russia, Turkey and more. As a matter of security we installed WPfence to disable the ?author hack. We also need to change the admin user name.

    I did this straight in mysql, changed admin name and under _users and _site_meta. New login is working, but we don’t see any network links (administration for the other sites of the multisite installations, plugins, settings) plus in the admin bar we don’t see the account info plus logout anymore. Tried some plugins to change the name to. No success.

    Anybody knows how to fix this?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Create a new account.
    Login to the new account.
    Delete the old account. (Assign content from old account to new account only after running a WordFence scan and it comes out clean.)
    That’ll give your new admin account a new user ID, which is an added benefit.

    Thread Starter ffwebdesigner

    (@ffwebdesigner)

    thanks for the hint, MNX. already tried that. same effect. no superadmin, no account/logout buttons.

    To add super admin capabilities to a user, you can just add this to your functions.php or add it as a global Code Snippet:

    grant_super_admin(1);

    The number needs to be the ID of the new admin.
    Once that’s set and verified, the line must be removed again.

    Thread Starter ffwebdesigner

    (@ffwebdesigner)

    i tried it that way…not working maybe due to network installation. but that’s not the problem. i can create a new superadmin under network administration > users.

    the problem is: to make the usernames as safe as possible we used the plugin network override usernames restrictions. which hasn’t been updated in 6 years and is not worling anymore. i tried sveral other recipes in the functions.php file, all without success. as soon as i change just one letter in the new superadmin user name in the db to uppercase, all network links and the account/login/out buttons in the admin bar disappear.

    I see, please provide such information right away as it saves everyone a lot of time. I’m hoping you have backups so you can roll back to before the change?

    I’m not an expert on multi-site installations so if you need fixing here, someone else might have better insights than I do.

    I do know however, that what you’re describing is ‘security through obscurity’ and it simply doesn’t work. There’s absolutely no security benefit to obfuscating/changing usernames as there are just too many ways to detect them.

    I suggest using Two-factor Authentication so the username wouldn’t be of any use to attackers, even if they happen to come by the password. This is considered to be safe.

    You can also change the front end author slug, if that makes you sleep any better but again, it doesn’t add any security.

    • This reply was modified 2 years, 12 months ago by MNX.
    Thread Starter ffwebdesigner

    (@ffwebdesigner)

    thanks for the reply and sorry for the missing info.
    the ?author=1 hack has been disabled by wordfence.
    2factor authentication isn’t an option as we got user groups fir a customer area that are alle the same for multiple users.
    as the hackers do know the old admin name and there have been hacking attempts we’d really like to use uper/lower/spacae/numbers in usernames. i consider it to be in fact more secure as wordfence seem to prohibit all known “hacks” to get the user names.

    That author name hook is not a hack, it’s just a means of reconnaissance for attackers but they would still need to brute force (or social engineer) the password for that account. If you have WordFence installed then you should be fine as it will limit the login attempts and block the IP’s breaking the rule. It should take them decades, if not centuries to hack your site that way. (Provided you use a strong password, such as the one WP automatically generates)

    You can enable 2FA for the Super admin account only, that doesn’t have to do anything with other accounts, groups or customer areas.

    I just went through this, since someone was trying to use my actual username to get in– Wordfence alerted me and shut the attempt down, naturally.
    Anyway, I did change my username while leaving ny nicename and nickname the same as before, and after doing so I lost superadmin privileges.

    Here’s the solution I found in several places;

    Using your Theme’s Functions.php to add Super Admins
    To add an admin by user ID you can use grant_super_admin.

    Simply put the grant_super_admin function in your theme’s functions.php file (usually in /wp-content/themes/CURRENT THEME NAME/functions.php). You’ll need to put the ID of the user as a variable, the example below we’re using the user ID of 1.

    grant_super_admin(1);
    After doing this check to confirm that user has Super Admin privileges and remove the line from functions.php so it doesn’t constantly run.

    Here’s a caveat, however; After running this in my theme’s functions file, my privileges were not restored. I switched my theme to twenty16, placed the line int that functions file, and voila it worked.
    Going back to my database I see a line that has been restored;
    user-id= 1
    meta key= multisite-sso
    Value= a:2:{s:4:”hash” (etc)
    So there you go.

    • This reply was modified 2 years, 6 months ago by .
    • This reply was modified 2 years, 6 months ago by .
Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Change the admin user name’ is closed to new replies.