We recently had a client’s site that was getting a brute force attack on their multisite’s super admin username. The fun stuff was this was causing that username to get hit with a lockout every few minutes, so they couldn’t log in. We needed to get this fixed, but didn’t want to shut off iThemes Security’s brute force protection in the process.
The Problem
The first step was to try to get the lockout cleared via the database. The problem was by the time I cleared the lockout and tried logging in, the bot had already caused another lockout. Not going to work.
I was, however, able to see a pattern in the lockouts present in the database. Namely that they were all hitting user id number 2.
From there it only took me a second to realize the problem. While the password for the account was strong enough to keep the attacker at bay, the username was not great. It wasn’t ‘admin’ bad, but it was pretty easy to take a guess at from the site.
We all know you can’t change usernames from the WordPress backend, but it’s easy enough to change it within the database. Well, on a single site at least. Multisite is a whole different can of worms. Mainly with the Super Admin role.
The Fix
The first thing you’ll need to do is get access to your database via phpMyAdmin, Sequel Pro, or however else you prefer to connect to your database. Oh and take a backup of the database before you start editing things.
Change The Username
Once there you’ll need to navigate to your wp_users table1 and change the ‘user_login’ for the effected user to something a bit more unique than say ‘admin’ or ‘sitename’.
Perfect. We’d be good to go if we weren’t a Super Admin. If you try to access the role now you’ll see you don’t have access to your super admin privileges anymore. Not good.
Keep Super Admin Privileges
The fix to this particular problem is a little more tricky. You’ll need to navigate to your wp_sitemeta table and look for the meta_key ‘site_admins’ and you should see something like “a:1:{i:0;s:5:”admin”;}” in the meta_value field. All we need to do at this point is change that to “a:1:{i:0;s:12:”new-username”;}“.
Basically you’re replacing “admin” with “new-username” and since “admin” is 5 characters long and “new-username” is 12 characters long we change “s:5” to “s:12”. That should do it. You should now be able to login with your new username and still have network admin privileges.
- Side note: change your ‘wp_’ table prefix to enhance your site’s security. iThemes Security can help you do it easily.