Title here
Summary here
Username Blacklist
Attackers don’t pick random usernames to target — they go for the obvious ones. “admin”, “administrator”, “root”, “test”. If your site allows registrations, those usernames are the first ones bots try to create. And if they exist, they’re the first ones targeted in brute force attacks. This module blocks these risky usernames from being registered in the first place.
Use Cases
- Block registration of commonly attacked usernames like “admin”
- Prevent spam bots from creating test accounts
- Reserve usernames you don’t want users claiming
- Block inappropriate or problematic usernames
- Reduce brute force targets by eliminating common names
How It Works
When someone tries to register with a blacklisted username:
- WordPress validates the registration as normal
- This module checks the username against your blacklist
- If matched, registration fails with an error message
- The would-be user sees “This username is not allowed”
The check is case-insensitive — blocking “admin” also blocks “Admin”, “ADMIN”, and “AdMiN”.
Default Blacklist
The module comes pre-configured with these commonly targeted usernames:
admin
administrator
root
test
demoYou can customize this list in the settings.
Settings
Navigate to Switchboard → Security → Username Blacklist and click the settings icon.
| Setting | Type | Description |
|---|---|---|
| Blocked Usernames | Textarea | One username per line. Case-insensitive. |
Example Blacklist
admin
administrator
root
test
demo
guest
user
support
info
webmaster
postmaster
hostmaster
sales
contactAdding Custom Usernames
Common additions to consider:
Impersonation prevention:
owner
ceo
founder
officialSpam bots favorites:
guest
user1
testuser
newuserReserved for your use:
yourcompanyname
yourbrand
support
helpWhat Users See
When someone tries to register with a blocked username:
Error: This username is not allowed.
They can choose a different username and register normally.
Integration with WordPress
The module hooks into two places:
- Registration validation — Blocks new registrations with blacklisted usernames
- Illegal user logins filter — Adds your blacklist to WordPress’s built-in illegal logins
This means the protection works for:
- Standard WordPress registration
- WooCommerce registration
- BuddyPress registration
- Most plugins that use WordPress’s registration system
Verification
To confirm the module is working:
- Enable the module and add a username to the blacklist (e.g., “testblock”)
- Log out or use an incognito window
- Go to
yoursite.com/wp-login.php?action=register(registration must be enabled) - Try to register with the blacklisted username
- You should see: “This username is not allowed”
If registration isn’t enabled on your site, you can test via WP-CLI:
wp user create testblock test@example.com
# Should return an error about the username being blockedFAQ
Does this affect existing users?
No. If someone already has the username “admin”, they can still log in and use their account. This module only prevents new registrations. To remove existing risky usernames, you’d need to edit or delete those user accounts manually.Is this case-sensitive?
No. Usernames are checked in lowercase. Blocking “admin” will also block “Admin”, “ADMIN”, and any other case variation.Can I use wildcards or patterns?
No. Each line is an exact username match (case-insensitive). You can’t do patterns like “admin*” to block “admin1”, “admin2”, etc. Each variation needs its own line.Should I remove existing ‘admin’ users?
Yes, if possible. Changing the admin username is a common security recommendation. Create a new administrator account with a unique username, transfer ownership of content, then delete the old “admin” account.Does this work with multisite?
The module works on multisite installations, but each site’s blacklist is independent. Configure the blacklist on each site where you want it active.What about the ‘administrator’ role?
This blocks the username “administrator”, not the role. Users can still have the Administrator role — they just can’t use “administrator” as their login name.Recommended Security Stack
Username blacklist works best combined with:
| Module | Prevents |
|---|---|
| Username Blacklist | Risky usernames being created |
| Limit Login Attempts | Brute force password guessing |
| Hide WP Version | Version-specific attacks |
| Disable XML-RPC | Amplified brute force attacks |
Together, these modules create multiple layers of login protection.
Building a new site? Set up the username blacklist before opening registration. It’s easier to prevent bad usernames than to clean them up later.
This module blocks registration only. To prevent login attempts entirely for certain usernames (even if they exist), you’d need additional measures like fail2ban or a security firewall.
PRO
Upgrade to Pro
Get access to all 147 modules with a single license