Hide WordPress Usernames to Improve WordPress Security

Last updated on December 06th, 2014 by Robert Abela. Filed under WordPress Security Hacks

Earlier on we have seen how to change a WordPress user ID. The article focuses on the WordPress administrator user though such procedure applies to any other WordPress user irrelevant of the role it has.

By changing the WordPress user ID of the WordPress administrator account you can delay the attackers’ efforts, and if you are using a WordPress auditing and monitoring plugin you can spot such attack and take evasive action. But what about all the other WordPress users which are used to publish content? In a default WordPress installation their WordPress username can easily be found as explained further below.

The best way to protect your WordPress usernames is to implement both WordPress hacks; change the WordPress user ID and hide WordPress usernames. This WordPress security tutorial explains why you should, and how to hide the WordPress username completely to further improve the security of your WordPress sites and blogs.

Why Hide WordPress Usernames

WordPress usernames can easily be guessed. If guessed it makes the attackers’ life easier especially in case of a targeted WordPress hack attack. Attackers can use a tool such as WPScan to guess your WordPress username or simply by entering a URL such as the following:

http://www.example.com/?author=1

If the author ID is valid then they will be redirected to the author URL, for example:

http://www.example.com/author/admin

The above is possible even when you change the WordPress user IDs. For example if you changed the user ID to 1000, then by requesting the URL http://www.example.com/?author=1000 the attacker can guess the username. This means that you would be delaying the guessing attack but not completely eliminating it.

WordPress usernames can also be found in the source of blog posts and pages hence why it is imperative that you hide the username and that you never publish anything using the WordPress administrator account. In the below screenshot highlighted in orange is the username of the author, in this case ruby.

WordPress username shown in source of WordPress blog post or page

How to Hide WordPress Usernames

The below is an easy to follow step by step procedure that explains how to hide WordPress usernames.

  1. Navigate to the WordPress user’s profile page and make sure the First Name, Last Name and Nickname are populated.

Note: the nickname is typically auto populated with your username. The nickname exists to give you the option to set the display name to something other than your username or first and last name, hence do not fret much about it from the security point of view.

  1. From the Display name publicly as drop down menu select how the user’s name should appear in blog posts, pages etc. Choose something that is different from the WordPress username.
  2. The next step is to change the user_nicename entry for that particular username from the WordPress database. To do so follow any of the below procedures;

Change user_nicename Entry via phpMyAdmin

  1. Login to your hosting provider cPanel and click phpMyAdmin from the Databases section
  2. Click on your WordPress database and click on wp_users table (if you changed the prefix the tables name should be [yourprefix]_users)
  3. Click the Edit button next to the user you would like to edit, as highlighted in the below screenshot

Editing a WordPress username entry in WordPress database with phpMyAdmin

  1. Modify the user_nicename entry to something different than the username as highlighted in the below screenshot

Modify the user_nicename from the WordPress database directly using phpMyAdmin

  1. Click Go to save the changes.

Change user_nicename Entry via MySQL Command Line

Login to MySQL using the command line and issue the following command. For the below example we will use an account with the following details: username ruby, First Name Ruby, Last Name Abela:

UPDATE  `wpdb`.`wp_users` SET  `user_nicename` =  'ruby-abela' WHERE  `wp_users`.`ID` =3;

Below is a syntax explanation of the above command:

UPDATE  `[WordPressDatabase]`.`[UsersTable]` SET  `user_nicename` =  '[NewNicename]' WHERE  `wp_users`.`ID` =[User’sID];

Test if the WordPress Username is Hidden

Prior to changing the WordPress username if you click on the author’s name in a blog post WordPress redirects you to the author’s archive page, where the last parameter in the URL is the username itself:

http://www.example.com/author/ruby/

After changing the username, if you click on the author’s name in a blog post, or try to guess the username using WPScan or via a specific URL you will be redirected to the below URL, which includes the user’s nice name rather than the WordPress username, therefore the username is not disclosed.

http://www.example.com/author/ruby-abela/

Does Hiding of WordPress Usernames Improve WordPress Security?

Some argue to the fact that there are other ways how an attacker can discover WordPress usernames, so why hide them in the first place? With such reasoning then why would one take any type of evasive action?

As many in the security industry will tell you there is no security solution that works 100%. Though WordPress administrator and owners should always do their best and implement security solutions, or in this case WordPress hacks to make it more difficult for a malicious hacker to penetrate and damage their WordPress installations. Therefore one can conclude that hiding the WordPress usernames does improve the security of your WordPress websites and blogs.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

5 comments

Chris 16/07/2015

What if the WP site is a community site, example using BuddyPress?

Should the site owner or database admin change their nicename manually? I mean what if there are thousands of users?

Thanks!

Robert Abela 08/08/2015

Hello Chris,

You can easily write up a SQL script to run it against the WordPress database if you want to automate that.

Anne Katzeff 08/10/2015

This explanation is excellent. Thank you very much.

Crutech 27/07/2017

Thanks for this article. But does this hide username from online list too?

Robert Abela 19/09/2017

What do you mean by online lists?

Leave a Reply

Your email address will not be published. Required fields are marked *