Why You Should Not Have User ID 1 in WordPress

Posted in Articles

Tweet This Share on Facebook Bookmark on Delicious Digg this Submit to Reddit

The user with id 1 is the default admin user that gets created upon initial install of your WordPress site. This is fairly common information.  Most WordPress developers knows this.  Hackers knows this too and use this fact to invoke exploits in an attempt to reset this user’s password to gain entry.

One such exploits involves putting some command such as

wp_set_password(‘dumbpassword’,1);

into the theme’s functions.php file.  As described in our previous tutorial, this is how to reset the user id 1 password to ‘dumbpassword’.  This is not some arcane command.  It is a public WordPress API documented here.

But of course, if an attacker has gain the ability to write this command to your functions.php file, they have already gain access to your site.  This can happen if the attacker has gotten FTP access or WordPress admin access or webhost access.

The more likely scenario is when an attacker don’t have access but has tricked you into uploading a free WordPress theme in which its functions.php file already contains this command.

When the theme is loaded, the attacker can go to the login page and type username and the newly reset password (in this example ‘dumbpassword’).  For the attacker to gain entry, they have to also guess the username.  The username the attacker is going to try is “admin”.  That is why never have an username “admin”.

When attacker types both the username and the newly reset password typed in correctly, WordPress redirect back to login page for re-entry.  Because every time the login page loads the password is reset.  And every time password is reset, WordPress logs out and redirect to login page.

At this point, password has been changed but everyone is locked out (including yourself).

They can only get in with the new password if the wp_set_password(‘dumbpassword’,1); is remove.  This command will happened to be remove if the theme is deleted off the server or if theme is changed.

Once command is removed, attacker can type username and new password in login page and access is gained.

It is true that a lot of things have to happen just right and in sequence for attacker to gain access.  But nevertheless, it is better to change the user id to something other than 1 and to change the username to something other than “admin.  The iThemes Security plugin will enable you to do both these.   See our other tutorial on how to change the user id from 1.