Hide Your WordPress Login from Author Archive

wp-security

Did you know your WordPress login username can be leaked quite easily via author archive page’s permalink?

http://websiteurl.com/author/username/

The important part here is /author/username/, as this is where your login username could be leaked.

How This Works…

When you create a new user on your WordPress site, you assign this user a username for login purposes.

There is a field in your WordPress database called user_nicename, which is found in the wp_users table.  user_nicename is populated with the login username as the user is created.  Once user_nicename is populated, it cannot be changed, at least not from WordPress’ Dashboard.

WordPress uses user_nicename to put together the author archive page permalink.

For example, you’ve created a new user called testuser.  With the URL http://websiteurl.com/author/testuser, you get a page like this:

wp-author-archive-test

So a hacker can look at the URL and guess that the username for Test User could be testuser.  That brings her one step closer to figuring out the login credentials of the site dashboard.  And if Test User has a weak password, the hacker can easily get in to the dashboard with a little brute forcing.

How to Hide Your Username

By changing user_nicename to something very different from your actual login username, it becomes more difficult for hackers to figure out what the login username is.

For example, by changing user_nicename to “Jane-Doe”, the URL to testuser‘s author archive page becomes http://websiteurl.com/author/Jane-Doe.  This way, the login usesrname, testuser, is not revealed in the URL anymore.

Since user_nicename cannot be updated via WordPress Dashboard, you will have to make the change in the database directly.  You will need access to your WordPress database and to be able make changes to the data (for example, using phpMyAdmin).

Here are a few more pointers:

  • You can pretty much change user_nicename to anything, but it’s better to use something meaningful to make your URL cleaner (and more SEO friendly).
  • Don’t use special characters.  Stick with letters, numbers, _ and –
  • Case doesn’t matter.  Jane-Doe is interpreted the same as jane-doe in the URL
  • If you use a space in user_nicename, as in “Jane Doe”, the URL created will result in 404 Page Not Found error.

    It not necessary a bad thing, but it could cause search engine crawling errors, which might affect your site’s SEO ranking.

  • After updating your user_nicename, make sure your old author archive page URL has not been indexed and cached by search engines.

    Try this search query in Google to see if the old URL was indexed and/or cached:  inurl:/author/username (replace username with your own username).

    If the old URL was indexed, you can request to have it removed from Google’s search results.

  • It’s not a bad idea to put in some thoughts when creating your login username. Make it something unique and hard-to-guess, yet memorable to you and you only.

UPDATE June 4, 2013:

wp-user-profile

Check the “Nickname” and “Display name publicly as” fields in your user profile section, and make sure they are not your login username.  WordPress pre-populate the “Nickname” field with your username by default, and it you leave it as that, your username can still be visible in the Page Title of your browser.

page-title
  • fbherr

    Just found this article, which described, and solved, my exact problem. Thank you!

    • http://itpixie.com/ IT Pixie

      You’re welcome! Glad to hear that you found it helpful!

  • lebigcheese

    What if you’ve got multiple users? how do you go about changing/hiding each of their usernames?

    Or put another way – if I follow your instructions, how do I know which username is then hidden if there are multiple users?

    • http://itpixie.com/ IT Pixie

      You do not change the usernames of users directly in the database, at least that’s not recommended. The post shows you how to prevent people guessing usernames by looking the author archive URLs.

      You can hide the usernames of all users you have in your WordPress database by repeating the steps described in the post for each user.

      You know which username is hidden because you can see it in your WP database. And remember, only you (as owner of the site) and whoever you authorize to access your database should be able to make such changes.

  • Hillary Norfleet

    Great post, but what about the page title? After changing my nicename and looking at the resulting page I still see Sitename – username

    • http://itpixie.com/ IT Pixie

      I assume you’re talking about when you “View Source” on the page… That actually has to do with your theme. It is likely that for some reason, your archive page template, which is dependent to your theme, was written to include username in the (which I think it’s a rather poor practice). If you are familiar with HTML and PHP, you could change that to display user_nicename, or at least not display the username anymore.

      • Hillary Norfleet

        Yes, looks like it is controlled in header.php of the theme. Not sure how to affect this without messing up titles sitewide:

        • http://itpixie.com/ IT Pixie

          You need to figure out how the variable $title is being populated. Somewhere in the code, there’s a query that’s grabbing the username information and put it into $title. Find that query, and change it to not grab username.

          On second thought… Make sure the “Display name publicly as” in your user profile is not filled with your username. WP populates that with the username by default, so you should change that to something else.

  • Hillary Norfleet

    I found that the plugin WordPress SEO by Yoast (http://yoast.com/wordpress/seo/) does exactly what I need. Thanks!

    • http://itpixie.com/ IT Pixie

      I think that plugin might have some vulnerability that allows others to hack your site. Make sure you Google it to see if vulnerability has been patched before installing it.

  • Pingback: Tips Tuesday – SEO Now and in 2014 and Embed Google Plus Posts - BlogAid

  • http://workmoneyfun.com/ Rajan M

    Thanks a lot for this tutorial. I changed nickname from my login username to my own name. When I click my name under blogpost title, the page opens to Homepage. How do I link my name to the “About” page so that when clicking on my name, it opens to the “About” page? Please suggest.

  • Pingback: Security | sekuehn

  • Pingback: Improving Security | Bri

  • Pingback: Improve your WordPress security with these 10 tips | Microsoft Freelancer