I’ve recently learned some very useful information about WordPress users’ information and the security of that information. My friend’s business website was hacked and started displaying some inappropriate content that she didn’t know about until another friend pointed it out to her. Here, my friend didn’t realize that one very important tip for maintaining a healthy WordPress site is to not have the username “admin”, which effectively gives hackers half the information they’re looking for.
My friend has free lifetime hosting and was told by the hosting company that it is not possible to change your WordPress username. That’s not true! If you have a basic understanding and knowledge of navigating your hosting account, you can change the username within the database. I will show you how below.
But that’s not all. After she had her username and password changed and the malware files cleaned up, her brand new security plugin (I recommended Wordfence) caught someone using an almost identical version of her NEW username to try and get in again. A couple days later, my own security plugin caught the same thing on one of my sites. I couldn’t understand how that was possible, we both used really complicated usernames.
So I went into my database to change my username and found out that there’s a field called “user_nicename”. If you were to click on the link of your displayed author name on a post, it would go to a url similar to this: yoururl.com/author/user_nicename. If you used special characters in your username like I had my friend do, the user_nicename is basically your username without those characters. Which was why the hackers were so close but didn’t have it completely right. If you don’t use special characters, the default user_nicename IS your username!
Therefore, I will be showing you where to change your username and while we’re in there, your user_nicename and the display_name (this is also editable within the WordPress dashboard).
First, log in to your hosting account and navigate to the control panel. You’re going to then log in to your phpMyAdmin with the information for your WordPress database. If you don’t have this information, you can first access your site’s files. Within the root folder, there will be a wp-config.php file. Open it and find this information:
// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘your database name‘);
/** MySQL database username */
define(‘DB_USER’, ‘your database username‘); <———Usually the same as the database name!
/** MySQL database password */
define(‘DB_PASSWORD’, ‘your database password‘);
Screenshots have been edited to protect my information. Your database fields and root folders will not be empty and may look different from mine. Proceed with caution!
Go back to phpMyAdmin and login with your database username and your database password. If you choose to reset the database password (there is an option in the GoDaddy hosting dashboard) do NOT reset the database password without changing it within wp-config.php. Your site will not be able to connect to the database and will NOT LOAD!
Inside the database, you should have a menu on the left hand side with the database tables. Look for wp_users. Once you’re in wp_users, make sure you’re on the “Browse” tab and you’ll see a table of the usernames. Next to the one you want to edit, click on the pencil icon. You’ll then be on a page with open fields you can edit. You will ONLY edit user_login (your new username…remember NOT “admin”), user_nicename (keep it completely urelated to your username), and display_name (what everyone sees as the post’s author). Make sure to save this and then exit. Always log out and close browser windows after working with security information.
Now log in to your WordPress dashboard with your new username and old password. You can edit the password as usual under “Users”.
That’s it! I hope this helps anyone having trouble with malicious login attempts into your site, it’s just another level of defense. Do it again as needed and regularly monitor your site!
Remember, Techmomogy is not responsible for anything happening to your site. Proceed with caution and if you are unsure what to do, find someone that can help or ask your hosting company for assistance!