Whether you use WordPress or some other CMS (Content Management System) you really shouldn’t use admin as the full access login user. I haven’t used an auto-installer for years, but many were at the time famous for using that as the login. Hopefully, they have the option of selecting a different login now, but I wouldn’t count on that in all cases.
The reason you don’t want to use admin is because it is the most common and guessed login name there is and administrator is probably the second most common.
What you end up with are all kinds of attempts at gaining access to your website using admin as the login. Sometimes it’s real people, but a lot of it is automated software and scripts.
By not using this account login name from the start you will make it much more difficult for these annoying things.
I have been developing and working on a side project website in my spare time, and just for fun I did use admin as the login to see just how long it would take before someone or something tried to gain access.
This particular project is not completely finished at the time of this publication. However, it has been online for about 3 weeks now.
Just a few days ago a plugin that I use to detect and stop these things notified me that the admin account had been locked for 24 hours. Meaning someone (or thing) tried logging in several times in a short period of time, and the system automatically disabled logging in with that account for everyone.
The nice thing about this particular plugin is that it goes by failed attempts from any IP address. Not failed attempts from the same IP address. A lot of these automated things are programmed to use a different IP address each time so if you have a plugin that doesn’t stop it until there have been 5 failed attempts from the same IP it may not be stopping as many as you think it is.
It also sends me an email with a link to click on to restore access to the account so I can log back in.
I haven’t advertised or promoted this website at all yet. So, that means it has been online barely 2 1/2 weeks before I received notification of too many failed admin login attempts. The only thing that I have done publicly was I ran a few tests at GTmetrix, Pingdom, and WebPageTest.org to optimize and fine-tune it a little.
Obviously I have since changed the admin user login name, but I really wasn’t expecting it to happen in such a short amount of time for a new website with no advertising or promoting.
I can only imagine how often this must happen to established sites, not to mention the popular and well-known. Some of them probably get this non-stop all day long.
You will never stop or prevent it all, but you don’t want to make it easy by using admin as your login.
You could always use adminjohn, johnadmin, johntheadmin, etc. Just about anything will make it much more difficult.
So, when possible choose something unique and different when installing your CMS. If you use an installer that automatically uses admin, then definitely change it to something else as soon as you can.