Home Blog WordPress Security Hide WordPress Usernames to Improve WordPress Security

Hide WordPress Usernames to Improve WordPress Security

Earlier on we have seen how to change a WordPress user ID. The article focuses on the WordPress administrator user though such procedure applies to any other WordPress user irrelevant of the role it has.

By changing the WordPress user ID of the WordPress administrator account you can delay the attackers’ efforts, and if you are using an activity log plugin for WordPress you can spot such attack and take evasive action. But what about all the other WordPress users which are used to publish content? In a default WordPress installation their WordPress username can easily be found as explained further below.

The best way to protect your WordPress usernames is to implement both WordPress hacks; change the WordPress user ID and hide WordPress usernames. This WordPress security tutorial explains why you should, and how to hide the WordPress username completely to further improve the security of your WordPress sites and blogs.

Why Hide WordPress Usernames

WordPress usernames can easily be guessed. If guessed it makes the attackers’ life easier especially in case of a targeted WordPress hack attack. Attackers can use a tool such as WPScan to guess your WordPress username or simply by entering a URL such as the following:

http://www.example.com/?author=1

If the author ID is valid then they will be redirected to the author URL, for example:

http://www.example.com/author/admin

The above is possible even when you change the WordPress user IDs. For example if you changed the user ID to 1000, then by requesting the URL http://www.example.com/?author=1000 the attacker can guess the username. This means that you would be delaying the guessing attack but not completely eliminating it.

WordPress usernames can also be found in the source of blog posts and pages hence why it is imperative that you hide the username and that you never publish anything using the WordPress administrator account. In the below screenshot highlighted in orange is the username of the author, in this case ruby.

WordPress username shown in source of WordPress blog post or page

How to Hide WordPress Usernames

The below is an easy to follow step by step procedure that explains how to hide WordPress usernames.

  1. Navigate to the WordPress user’s profile page and make sure the First Name, Last Name and Nickname are populated.

Note: the nickname is typically auto populated with your username. The nickname exists to give you the option to set the display name to something other than your username or first and last name, hence do not fret much about it from the security point of view.

  1. From the Display name publicly as drop down menu select how the user’s name should appear in blog posts, pages etc. Choose something that is different from the WordPress username.
  2. The next step is to change the user_nicename entry for that particular username from the WordPress database. To do so follow any of the below procedures;

Change user_nicename Entry via phpMyAdmin

  1. Login to your hosting provider cPanel and click phpMyAdmin from the Databases section
  2. Click on your WordPress database and click on wp_users table (if you changed the prefix the tables name should be [yourprefix]_users)
  3. Click the Edit button next to the user you would like to edit, as highlighted in the below screenshot
Editing a WordPress username entry in WordPress database with phpMyAdmin
  1. Modify the user_nicename entry to something different than the username as highlighted in the below screenshot
Modify the user_nicename from the WordPress database directly using phpMyAdmin
  1. Click Go to save the changes.

Change user_nicename Entry via MySQL Command Line

Login to MySQL using the command line and issue the following command. For the below example we will use an account with the following details: username ruby, First Name Ruby, Last Name Abela:

UPDATE  `wpdb`.`wp_users` SET  `user_nicename` =  'ruby-abela' WHERE  `wp_users`.`ID` =3;

Below is a syntax explanation of the above command:

UPDATE  `[WordPressDatabase]`.`[UsersTable]` SET  `user_nicename` =  '[NewNicename]' WHERE  `wp_users`.`ID` =[User’sID];

Test if the WordPress Username is Hidden

Prior to changing the WordPress username, if you click on the author’s name in a blog post WordPress redirects you to the author’s archive page, where the last parameter in the URL is the username itself:

http://www.example.com/author/ruby/

After changing the username, if you click on the author’s name in a blog post, or try to guess the username using WPScan or via a specific URL you will be redirected to the below URL, which includes the user_nicename rather than the WordPress username, therefore the username is not disclosed.

http://www.example.com/author/ruby-abela/

Does Hiding of WordPress Usernames Improve WordPress Security?

Some argue to the fact that there are other ways how an attacker can discover WordPress usernames, so why hide them in the first place? With such reasoning then why would one take any type of evasive action?

As many in the security industry will tell you there is no security solution that works 100%. Though WordPress administrator and owners should always do their best and implement security solutions, or in this case WordPress hacks to make it more difficult for a malicious hacker to penetrate and damage their WordPress installations. Therefore, one can conclude that hiding the WordPress usernames does improve the security of your WordPress websites and blogs.


13 thoughts on “Hide WordPress Usernames to Improve WordPress Security

  1. What if the WP site is a community site, example using BuddyPress?

    Should the site owner or database admin change their nicename manually? I mean what if there are thousands of users?

    Thanks!

      1. In my own case, I want to display character instead of the display name.

        Question
        1. How will display characters e.g g20100Ty instead of John Doe?

        2. Is there a code I can input in my function.php to achieve this?

        I will appreciate Andy help or suggestions

        1. Hello Sebastian, in the User Profile page you can specify what for name you’d like to publicly display for a user. You can configure this by using the setting “Display name publicly as”. I hope that helps.

  2. This is really an excellent security measure. Thank you very much! I created a new username and I changed user_nicename to yet another entry. Now I see daily (hourly!) password failures reported by WPSecurity using the fake user_nicename. I never knew this was the method hackers use to find my username. Now I can secure all my websites and my client websites. Excellent!

    1. Hello Peter,

      Thanks for sharing your feedback.

      We are glad that you found the article helpful.

      However, this is just one of the many things you can do to improve the security of your WordPress website. There are many improvements you can do and this (WordPress security) is a continuous process, and not a one time fix.

      If you want to learn more, read the WordPress security process and see the steps you can take in order to further improve the security of your site.

      Best wishes

  3. This may have changed because I do see this was published many moons ago but just looking for clarity b/c this did not work for me. My author’s username is still at the end of the URL after clicking the blog post’s author name. I see these instructions are to change the user_nicename BUT then under the heading “Test if the WordPress Username is Hidden”, the reference is to changing the *username*. If I go back to my database I can see my user_nicename is indeed changed. Is it possible user_login may be the db entry that stores the username as opposed to user_nicename?

    1. Hello CJ,

      Indeed, the article is quite old, however the instructions still work on the latest version of WordPress. I have just tested this now on a WordPress 5.7 installation and can confirm it works. If it is not working on your end, you are either missing a step, or you have a theme or a plugin that might be rewriting those URLs. Maybe you’d want to double check that by doing some troubleshooting. Good luck with solving the issue and thank you for reading our articles.

  4. Thank you! I was looking for a fix when I noticed my login name was exposed. I’m using WpDiscuz. Changing my user_nicename Entry via phpMyAdmin resolved the issue. Thank you! It’s appreciated. 🙂


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon
newsletter-pop-up