A common security measure to protect your website from brute-force attacks is to hide or mask your WordPress administrator username. This article will explain what the WordPress Author Enumeration vulnerability is and what measures you can take to prevent your administrator account from being brute-force hacked, and ultimately how to hide your WordPress admin username.
Use a Unique Username for Your WordPress Login Account
When I set up a new WordPress website I want to make sure that the WordPress admin username (login name) is unique. It is perplexing how much emphasis is placed on just the password instead of both the username and the password. Traditionally the primary concern has been to help users pick a strong password that isn’t simple or easy to guess. But what about the username?
Logically, if you didn’t know the administrator username you would never be able to log in to the website. Hiding, or masking, the username seems like a simple solution to prevent brute-force hack attempts. Unfortunately, WordPress doesn’t provide any type of mechanism to prevent this exploit without an additional plugin.
How to Find the WordPress Admin Username
If you want to discover the administrator login for a WordPress website, simply visit the author page in your browser:
The above URL will take you to the author page of a WordPress website for user number 1. Notice when the author page loads, the URL will change and show the author slug. This is also the WordPress admin username. As you can see, this is a major security vulnerability.
What is an Author Slug?
When WordPress is initially installed it creates an administrator account and a slug for the author page. This author slug is used in the page URL when you are viewing the archive for an author’s blog posts. WordPress by default does not let you directly change this.
How Do You Change the Author Slug?
I use the free plugin Edit Author Slug which rewrites the author slug and displays an author name in the URL different from the administrator login username.
Final Thoughts: Is the WordPress Admin Username Safe from Brute-Force Attacks?
I recommend taking this security precaution for any WordPress website, even if you think your password is strong. Masking your author URL will make it almost impossible for anyone to access your account if the username is never known, which will prevent brute-force attacks.
Our WordPress Security Service can protect your website from brute-force login hacks with the WordFence plugin, which includes a feature to prevent the discovery of usernames through WordPress Author Enumeration (‘/?author=N’) scans. Give us a call today at 602-633-4758 to learn more about protecting your WordPress website.