Hide Your WordPress Login from Author Archive
Did you know your WordPress login username can be leaked quite easily via author archive page’s permalink?
The important part here is /author/username/, as this is where your login username could be leaked.
How This Works…
When you create a new user on your WordPress site, you assign this user a username for login purposes.
There is a field in your WordPress database called user_nicename, which is found in the wp_users table. user_nicename is populated with the login username as the user is created. Once user_nicename is populated, it cannot be changed, at least not from WordPress’ Dashboard.
WordPress uses user_nicename to put together the author archive page permalink.
For example, you’ve created a new user called testuser. With the URL http://websiteurl.com/author/testuser, you get a page like this:
So a hacker can look at the URL and guess that the username for Test User could be testuser. That brings her one step closer to figuring out the login credentials of the site dashboard. And if Test User has a weak password, the hacker can easily get in to the dashboard with a little brute forcing.
How to Hide Your Username
By changing user_nicename to something very different from your actual login username, it becomes more difficult for hackers to figure out what the login username is.
For example, by changing user_nicename to “Jane-Doe”, the URL to testuser‘s author archive page becomes http://websiteurl.com/author/Jane-Doe. This way, the login usesrname, testuser, is not revealed in the URL anymore.
Since user_nicename cannot be updated via WordPress Dashboard, you will have to make the change in the database directly. You will need access to your WordPress database and to be able make changes to the data (for example, using phpMyAdmin).
Here are a few more pointers:
- You can pretty much change user_nicename to anything, but it’s better to use something meaningful to make your URL cleaner (and more SEO friendly).
- Don’t use special characters. Stick with letters, numbers, _ and –
- Case doesn’t matter. Jane-Doe is interpreted the same as jane-doe in the URL
- If you use a space in user_nicename, as in “Jane Doe”, the URL created will result in 404 Page Not Found error.
It not necessary a bad thing, but it could cause search engine crawling errors, which might affect your site’s SEO ranking.
- After updating your user_nicename, make sure your old author archive page URL has not been indexed and cached by search engines.
Try this search query in Google to see if the old URL was indexed and/or cached: inurl:/author/username (replace username with your own username).
If the old URL was indexed, you can request to have it removed from Google’s search results.
- It’s not a bad idea to put in some thoughts when creating your login username. Make it something unique and hard-to-guess, yet memorable to you and you only.
UPDATE June 4, 2013:
Check the “Nickname” and “Display name publicly as” fields in your user profile section, and make sure they are not your login username. WordPress pre-populate the “Nickname” field with your username by default, and it you leave it as that, your username can still be visible in the Page Title of your browser.