If originally using an older version or WordPress, a Managed WordPress web hosting service or similar auto installation process or script, the default username of 'admin' is/was normally created. Subsequently after version 3.0 you have the option to choose your own username, but unfortunately far too many WordPress users still use ‘admin’ without knowing how vulnerable they are. Popularity comes with increased hacking attempts and WordPress users have to be ever vigilant to safeguard their website super user credentials.
Most hackers will use automated 'brute-force' attacks and methods to repeatedly try to gain access to sites and they target obvious known weaknesses - one of the biggest being the prevalence of so many sites using the 'admin' username. Eliminate that right off the bat by removing the admin user and creating another unique user name.
!! First off, always make a backup of your Wordpress installation and database(s) !!
Create a new username and delete that vulnerable ‘admin’ username.
Step 1. Hover over ‘Users’ in the left navigation panel in your dashboard.
Step 2. Click on ‘Add New User’ in the flyout menu.
Step 3. Fill out the form and choose ‘administrator’ in the ‘Role’ drop down menu at the bottom of the form.
Step 4. Enter a very strong password. Make sure the ‘Strength Indicator’ box reads “strong” when creating your password
Step 5. Click on ‘Add New User’ when you are done. You have now created a new super user.
Step 6. Now logout and then log back in using your new WordPress admin username.
Step 7. Go back to ‘Users’ and select ‘All Users’ from the flyout menu.
Step 8. Locate the user ‘admin’, tick the box and select ‘delete’ from the drop-down menu.
Step 9. Next, you will be taken to a page that will ask, “What should be done with posts owned by this user?” If you have posts published under this old admin user, simply check the “attribute all posts to:” button and select your newly created username. This will transfer all posts created under the admin username to the new one you just created.
You now have just taken a necessary step to making your WordPress powered website even more hacker-proof.
Master Tip: Make sure that the ‘display name’ is different from the username you just created. If the actual username and display name are the same, hackers can potentially identify the admin username... not good.