Skip to main content

Right now, someone is trying to break into your nonprofit’s website using the WordPress login page to guess your username and password.

The most common username an attacker will try is “admin” or “administrator”. Using automated bots, they’ll try variations that may include hyphens or underscores.

For example, if you have a user named “Anne,” they might try this:

  • admin-anne
  • anne-administrator
  • anne_administrator
  • admin_anne
  • anne-admin
  • anne_admin
  • adminanne
  • anneadmin
Nonprofit security mistakes with WordPress: username hacks

Depending on your organization’s level of website traffic, username guessing attempts could be happening every five minutes to every hour. Crazy, right?

You’re probably thinking: I always use “admin” for my username on our nonprofit's site. What’s the big deal?

The problem with is approach is that most hackers will use a technique called a brute force attack to break into your site, over and over again.

The WordPress login page (your front door) is one of the first places an attacker will try to get in. They’ll use automated software or “bots” that will try to guess your username many times over time until they either fail or get inside.

If they do get inside, secret code usually is added deep inside your WordPress theme files and plugins. The attacker will have full access to your site and you won’t know it’s there until something goes wrong.

A hacker can do all kinds of damage to your site:

  • Delete pages, blog posts, or your theme
  • Delete user accounts
  • Take your website offline and demand a ransom
  • Steal personal data from users: names, addresses, emails, credit card information
  • Install software that records what you type on your keyboard

“It’s like the shores of this war are spilling onto us. The next two or three years will really be about circling the wagons. I feel like we’re the poor townspeople who can’t protect ourselves. We need a gunfighter and I don’t know where to find that person.”

–  Jim Daniell of Oxfam, on cybercrime against nonprofits

Hopefully, you learned a valuable lesson which can keep attacks from happening on your WordPress website in the first place.

It’s really simple: never use “admin” or “administrator” for your username.

Otherwise, you’ve left the front door open to get hacked.

It’s important for your marketing team to adopt a security practice of always creating usernames that are unique to provide a layer of protection.


  • Admin username – make sure you change it to something unique to avoid bots and hacking attempts.
  • Change your user account permissions – only let one or two folks have administrator access on your site so it limits ways a hacker’s bots can try to gain access your login page.
  • Randomly generate usernames – if you’re stuck with making a good username, try a tool to create unique usernames that can’t easily be guessed by automated software.