Five WordPress Security Mistakes Your Nonprofit Is Making

#3 of 5: Using Admin for Your Username

Five WordPress Security Mistakes Your Nonprofit Is Making #3: Using Admin for Your Username

May 17, 2019

Last week, we learned why it’s good practice to spend a little more on premium web hosting for your nonprofit’s WordPress website.

Go cheap and you’ll get what you pay for.

This week’s lesson is about a security mistake you’re probably making by accidentally letting hackers through the front door.

Right now, someone is trying to break into your nonprofit’s website using the WordPress login page to guess your username and password.

The most common username an attacker will try is “admin” or “administrator”. Using automated bots, they’ll try variations that may include hyphens or underscores.

For example, if you have a user named “lisa,” they might try this:

  • admin-lisa
  • admin_lisa
  • lisa-admin
  • lisa_admin
  • lisa-administrator
  • lisa_administrator

Depending on your organization’s level of website traffic, username guessing attempts could be happening every five minutes to every hour. Crazy, right?

You’re probably thinking: I always use “admin” for my username on our nonprofit's site. What’s the big deal?

The problem with is approach is that most hackers will use a technique called a brute force attack to break into your site, over and over again.

The WordPress login page (your front door) is one of the first places an attacker will try to get in. They’ll use automated software or “bots” that will try to guess your username many times over time until they either fail or get inside.

If they do get inside, secret code usually is added deep inside your WordPress theme files and plugins. The attacker will have full access to your site and you won’t know it’s there until something goes wrong.

A hacker can do all kinds of damage to your nonprofit’s site:

  • Delete pages, blog posts, or your theme
  • Delete user accounts
  • Take your website offline and demand a ransom
  • Steal personal data from users: names, addresses, emails, credit card information
  • Install software that records what you type on your keyboard

Online threats to nonprofits are on the rise

In April 2015, The Red Barn’s website was part of a larger, server-wide attack where it was taken over by a group of hackers. To make matters worse, the nonprofit was in the middle of a fundraising event and people were trying to purchase tickets during the attack.

Their executive director, Joy O'Neil, said they didn’t do anything wrong but “it’s a risk nonprofits all have in today’s day and age”.

The hack was so bad the organization had to remove their website, purchase a new domain name, and rebuild it from scratch in three days. No one should have to go through this type of pain.

It’s like the shores of this war are spilling onto us. The next two or three years will really be about circling the wagons. I feel like we’re the poor townspeople who can’t protect ourselves. We need a gunfighter and I don’t know where to find that person."

~ Jim Daniell of Oxfam, on cybercrime against nonprofits

Hopefully, you learned a valuable lesson which can keep attacks from happening on your nonprofit’s WordPress website in the first place.

It’s really simple: never use “admin” or “administrator” for your username.

Otherwise, you’ve left the front door open to get hacked.

It’s important for your marketing team to adopt a security practice of always creating usernames that are unique to provide a layer of protection.


  • Admin username - make sure you change it to something unique to avoid hacking attempts.
  • Change your user account permissions - only let one or two people have administrator access on your site so it limits ways a hacker’s bots can try to gain access your login page.
  • Randomly generate usernames - if you’re stuck with making a good username, try a tool to create unique usernames that can’t easily be guessed by automated software. Have some fun with it!

By Chuck Spidell, the Nonprofit WordPress Security Expert who helps communications teams free up their time and lock down WordPress from getting hacked.