If you monitor the security logs of your website, you will likely see many attempts to sign into the site with common administrator usernames, e.g., “admin”, “administrator”, etc. These sign-in attempts are from hackers attempting to identify admin accounts they can subsequently attack.

Tip: Rename your real administrator accounts so they are not immediately identifiable as such. You should not have an account named “admin” or “administrator”. By doing this, you both slow down hackers, and you also make it very obvious when someone is attempting to use an admin account.

If supported by your firewall, you can auto-block IP addresses that attempt to sign into your website with these names. These are names we have encountered in the wild.

Administrator Usernames

• admin
• admin_user
• admin_v3HEj
• admin@wordpress.com
• adminroot
• administrarot
• administratoir
• administrator
• administrator1
• administrator1@wordpress.com
• adminuser
• cmseditor
• etomidetka (learn more)
• root
• superadmin
• test01
• wadmin
• wadminw
• webadmin
• WhoAdminKnows
• wordpressauto
• wp_rest_api
• wp-system
• wpadminns
• wpsupport
• wwwadmin

Wordfence

If you use Wordfence on WordPress, see How to block attempted admin logins with WordFence. You can enter the above admin usernames to automatically block anyone attempting to use them.

Reference

• Spaceballs Security: The Top Attacked Usernames and Passwords – a list of the top usernames and passwords attempted in brute force attacks. The article is older (2018) but still relevant.

See also

• What are these strange page requests in my 404 log?