There have been discussions in the past about WP giving us the ability to change the original user name that becomes the log-in name. Yes, there are some good reasons not to allow this such as someone locking themselves out and other inconveniences. But the times have changed so dramatically from a security perspective that it makes sense today.
1. Most users set up WP with a log-in that is their name. Even a low level amateur hacker can find that out in the source code. So now they take that name and try to hack into your WP. This leaves us with only one defense...a really tough password. Just how many WP users actually have difficult to crack passwords? Probably not a lot. The technical savvy do but they are a minority of users. For the average, everyday WP user, simply changing their user name to something that can't be found in the source code would dramatically reduce hacks.
2. And now the really bad news for the techie community. Hackers are getting more and more sophisticated. We all know this. It's like the old Road Runner cartoons where Wiley Coyote tries to get the Road Runner and the Road Runner just barely manages to outwit him. This is the constant battle we face in security. No matter what we do, Wiley Coyote figures it out and then we have to do something even more sophisticated. Anyone who knows anything about security is aware that today you need a password which has a long string of special characters. That is more important than numbers and caps by about 1000%. What percentage of WP users actually use passwords like that? Probably not a lot. We do need to educate them that this is critical today.
But even the best passwords are not going to be enough with the way Wiley Coyote works. Hackers are figuring out ways to crack special character strings though it still takes a really powerful computer to run millions of those sequences.
Today, we have hackers who focus on WordPress sites. They detect its WP, find the user name usually from the source code and then try to hack in. My 404 tracker shows hundreds of log in attempts every week.
So, the next step in computer security, not just for WP but all types of computer access, is the elimination of an an easy to remember user name and replacing it with something that is just like the best passwords we now use. If you have a 12 character user name that combines characters, numbers and special characters and a different 12 character password, the potential for being hacked would be the lowest possible, a fraction of the risk of just using the best passwords today.
Of course, if WP were to allow us to change our user name, there would need to be additional protections and warnings built in so people wouldn't do this overly quickly. Statements asking if you have saved this user name somewhere and are you sure you want to change how you log on to WP would need to be added as a safeguard. There may be other tools that need to be added as well. Are users aware that they shouldn't be typing in passwords and instead copying and pasting them just in case they have a keystroke virus installed in their computer?
It's simply time to ramp up our security defenses to the next level. We also need to do a better job of educating the average user about passwords so all WP sites have the best current protection possible. So yes, I'm recommending that as standard, everyday, universal computer access security, we have to copy and paste two different long strings, one for the user name and one for the password. It is definitely a brave new world. And shortly, WP and all other computer systems and software may need to add a third field with one or two characters to multiply the sequence complexity by another 40 to 80 moving it from the hundreds of millions to hundreds of billions of combinations or even higher.