Earlier on we have seen how to change a WordPress user ID. The article focuses on the WordPress administrator user though such procedure applies to any other WordPress user irrelevant of the role it has.
By changing the WordPress user ID of the WordPress administrator account you can delay the attackers’ efforts, and if you are using an activity log plugin for WordPress you can spot such attack and take evasive action. But what about all the other WordPress users which are used to publish content? In a default WordPress installation their WordPress username can easily be found as explained further below.
The best way to protect your WordPress usernames is to implement both WordPress hacks; change the WordPress user ID and hide WordPress usernames. This WordPress security tutorial explains why you should, and how to hide the WordPress username completely to further improve the security of your WordPress sites and blogs.
Why Hide WordPress Usernames
WordPress usernames can easily be guessed. If guessed it makes the attackers’ life easier especially in case of a targeted WordPress hack attack. Attackers can use a tool such as WPScan to guess your WordPress username or simply by entering a URL such as the following:
If the author ID is valid then they will be redirected to the author URL, for example:
The above is possible even when you change the WordPress user IDs. For example if you changed the user ID to 1000, then by requesting the URL http://www.example.com/?author=1000 the attacker can guess the username. This means that you would be delaying the guessing attack but not completely eliminating it.
WordPress usernames can also be found in the source of blog posts and pages hence why it is imperative that you hide the username and that you never publish anything using the WordPress administrator account. In the below screenshot highlighted in orange is the username of the author, in this case ruby.
How to Hide WordPress Usernames
The below is an easy to follow step by step procedure that explains how to hide WordPress usernames.
- Navigate to the WordPress user’s profile page and make sure the First Name, Last Name and Nickname are populated.
Note: the nickname is typically auto populated with your username. The nickname exists to give you the option to set the display name to something other than your username or first and last name, hence do not fret much about it from the security point of view.
- From the Display name publicly as drop down menu select how the user’s name should appear in blog posts, pages etc. Choose something that is different from the WordPress username.
- The next step is to change the user_nicename entry for that particular username from the WordPress database. To do so follow any of the below procedures;
Change user_nicename Entry via phpMyAdmin
- Login to your hosting provider cPanel and click phpMyAdmin from the Databases section
- Click on your WordPress database and click on wp_users table (if you changed the prefix the tables name should be [yourprefix]_users)
- Click the Edit button next to the user you would like to edit, as highlighted in the below screenshot
- Modify the user_nicename entry to something different than the username as highlighted in the below screenshot
- Click Go to save the changes.
Change user_nicename Entry via MySQL Command Line
Login to MySQL using the command line and issue the following command. For the below example we will use an account with the following details: username ruby, First Name Ruby, Last Name Abela:
UPDATE `wpdb`.`wp_users` SET `user_nicename` = 'ruby-abela' WHERE `wp_users`.`ID` =3;
Below is a syntax explanation of the above command:
UPDATE `[WordPressDatabase]`.`[UsersTable]` SET `user_nicename` = '[NewNicename]' WHERE `wp_users`.`ID` =[User’sID];
Test if the WordPress Username is Hidden
Prior to changing the WordPress username if you click on the author’s name in a blog post WordPress redirects you to the author’s archive page, where the last parameter in the URL is the username itself:
After changing the username, if you click on the author’s name in a blog post, or try to guess the username using WPScan or via a specific URL you will be redirected to the below URL, which includes the user’s nice name rather than the WordPress username, therefore the username is not disclosed.
Does Hiding of WordPress Usernames Improve WordPress Security?
Some argue to the fact that there are other ways how an attacker can discover WordPress usernames, so why hide them in the first place? With such reasoning then why would one take any type of evasive action?
As many in the security industry will tell you there is no security solution that works 100%. Though WordPress administrator and owners should always do their best and implement security solutions, or in this case WordPress hacks to make it more difficult for a malicious hacker to penetrate and damage their WordPress installations. Therefore one can conclude that hiding the WordPress usernames does improve the security of your WordPress websites and blogs.