If your WordPress blog or site is a victim of a targeted attack a malicious hacker can easily identify the WordPress administrator username manually or by using automated tools. If a malicious hacker identifies the username of your WordPress administrator, he can launch a brute force or dictionary attack specifically against the WordPress administrator account, thus making the attack an easier feat.
If the malicious attacker does not know the WordPress administrator username, he has to guess both the username and password during a brute force attack. This means that the chances that the attack will succeed are much less and the attack will take much longer to complete, and the longer the attack takes, the more the chances of you or the hosting provider identifying the attack, which is exactly what you want.
How to Manually Identify the WordPress Administrator Username
By default the ID of the built-in WordPress administrator account is 1. Therefore unless you change the ID of the WordPress administrator to a higher random number, anyone can use the URL below to identify the WordPress administrator username
https://www.wpwhitesecurity.com/?author=1
If the WordPress administrator ID is still set to 1 the user will be redirected to the below URL, where the new username is shown at the end of the URL. For example in the below URL, the username is superadmin.
https://www.wpwhitesecurity.com/author/superadmin/
How to Change the ID of the WordPress Administrator
Before you change the WordPress administrator account ID also ensure that the administrator account does not have any posts or pages assigned to it. If it does, change the author of such posts or pages to a user with Author role manually or write an SQL query to change the author ID of such posts automatically.
Once you have done a WordPress database backup, connect to your WordPress database using the MySQL command line tool or the web based phpMyAdmin and execute the below queries on the WordPress database:
UPDATE wp_users SET ID = 1024 WHERE ID = 1;
The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_users table, i.e. where the user credentials are stored.
UPDATE wp_usermeta SET user_id = 1024 WHERE user_id = 1;
The above MySQL query will change the default WordPress administrator user ID from 1 to 1024 in the wp_usermeta table, where user related data is stored.
Change Author ID / Attribution On All Posts In a Single Pass
To change the ID for all posts from the old ID to the new ID 1024. Type the following MySQL command:
UPDATE wp_posts SET post_author = 1024 WHERE post_author = 1;
Avoid WordPress User ID Conflicts
By default WordPress uses incremental values to assign user IDs to newly generated user accounts. Therefore while the built-in administrator will have a user ID of 1, the first user you create will have user ID 2, second user will have user ID 3 and so on. If you think you will create more WordPress users than the number you have used for your new WordPress administrator user ID, you should set the WordPress User ID auto increment value (the counter that WordPress uses to assign new accounts a unique ID) to a bigger value than the one used for the WordPress administrator account. To do so use the below query:
ALTER TABLE wp_users AUTO_INCREMENT = 2048
Once you execute the above query, WordPress will assign a user ID of 2049 to the next WordPress user you create.