Admin was the most common username for WordPress admin users. “Do not use admin as administrator username” is also a well-known WordPress security tip. Everybody knows this, so does hacker. If you like to know, other than Admin, there are more usernames & username patterns used by hackers in their random brute force attack.
Working as a WordPress website maintenance , I have the opportunity to learn different kinds of hacking behaviors. It is interesting to find out that random brute force attacks are trying out different username patterns. Here are some patterns or usernames you should pay attention to and avoid using them on your WordPress website:
- root
- administrator
- test
- demo
- (domain-name)
- (domain-name)-com
- (domain-name)-admin
- (domain-name)admin
- admin(domain-name)
Matter of the fact, these are commonly used on WordPress website other than the users real name. It is hard to guess user’s real name not the domain name.
But don’t stop here. If you also use security plugin such as Wordfence Security, there is a setting to allow “immediately block the IP of users who try to sign in as these usernames”. Put these usernames in the list to give your website a better protection against brute force attack.