Random User IDs

Fork me on GitHub

This plugin randomizes the ID for the user created in the WordPress setup. It also will allow the randomization of the ID for any created user, after an already-proposed patch to WordPress core gets merged.

You can find this plugin code at GitHub: https://github.com/davefx/dfx-random-user-id


Evil hackers are always trying to take advantage of any information they know about a site. There’s something common to all WordPress sites: they are created with an administrator user with ID=1. And new users IDs are created in order after this one: 2, 3, 4, 5…

Good WP administrators will remove this first-created admin user, creating a new one with another ID number, but the fact that new users IDs are created in a serialized way is something that can be used against us.

While attending to WordCamp Madrid 2017, I could listen to Tomás Sierra dissertation about WP sites security, noting this problem. This inspired me to build this plugin, which I started at the next day in that WordCamp’s Contributor Day.

How it works

Once activated, the plugin will immediately replace the ID for the default admin user (with user ID 1). By default, the plugin will use random user IDs between 1 and 4503599627370495 (to ensure compatibility with Javascript code using the user ID).

All newly created users from that moment will be generated with a random user ID in the defined range.

How to customize the range for new user IDs

You can customize the range used by the plugin for the random generated user IDs by using the WordPress filters dfx_random_user_id_max_id and dfx_random_user_id_min_id.

For example, if you want to have all your user IDs between 1000 and 9999 you can add the following lines to your theme’s functions.php file:

function set_dfx_max_user_id( $default_max_id ) {
    return 9999;
add_filter( 'dfx_random_user_id_max_id', 'set_dfx_max_user_id' );

function set_dfx_min_user_id( $default_max_id ) {
    return 1000;
add_filter( 'dfx_random_user_id_min_id', 'set_dfx_min_user_id' );

Probably, you’ll want to add these lines to your code before activating the plugin, so your new random main admin user ID is inside your desired range.