WordPress Username Disclosure, Vulnerability or Not?

Last updated on May 28th, 2019 by Robert Abela. Filed under WordPress Security

In an out of the box WordPress installation there are several easy methods you can use to identify the usernames. The good thing is that there are several WordPress hacks you can implement to better hide the WordPress usernames, such as the ones mentioned below:

The problem still remains though since the above hacks are not bulletproof. They will make it difficult for an attacker to guess a WordPress username, though there are still possibilities for an attacker to guess a WordPress username, as shown in the below example.

WordPress Username Disclosure

When you try to login to WordPress using a non-existing username, the response from WordPress indicates that an invalid username was used. The error message itself is invalid username.

A failed WordPress login using non existing username

If you try to login to WordPress using a valid username but a wrong password, WordPress’ error message indicates that the password for the specified username is incorrect by retaining the username in the response, therefore disclosing the username. The error message itself also confirms this The password you entered for the username admin is incorrect. For example in the below screenshot when I try to login to WordPress using admin, which is being used in this test installation. Can you spot the difference between the below and the above responses?

A failed WordPress login using a correct username

Why Is WordPress Username Disclosure a Problem?

WordPress websites are a common victim of brute force attacks. There are several reasons why but mainly this is due to the facts that:

  • The URL of the WordPress users’ login page is the same for all the WordPress installations (e.g. https://www.mysite.com/wp-admin/),
  • By default the username of a WordPress administrator is admin and many users fail to rename it, so it is easy to guess,
  • Many users use easy to guess credentials.

Till this day there are many automated scanners lurking around the internet trying to guess WordPress usernames and passwords. Install an audit trail plugin such as WP Security Audit Log and you will be surprised by how many attacks your WordPress gets.

The WordPress audit trail records a good number of WordPress failed Logins

Making WordPress Brute Force Attacks Easier for Hackers

If you guess the username during a brute force attack, the combination of attacks is reduced by 50%. And with the way WordPress responds to failed login attempts it is very easy for attackers to automatically determine if a username exists or not on the target WordPress website.

Username Disclosure is a Vulnerability in the Non WordPress World

Many other vendors such as Microsoft and Cisco have had this same identical problem in the past and addressed it. Many security professionals consider this as a security flaw in WordPress and there have already been several discussions about it. This issue was originally reported in 2009 in CVE-2009-2335 and has also been listed on WordPress track as ticket 3708.

Thought as can be seen from the track ticket the WordPress core team does not think this is an issue because there are many other ways how to reverse engineer a WordPress username. And this is true as highlighted in Enumerating usernames with WPScan. But wouldn’t it be more appropriate to identify all other WordPress user enumeration problems and start addressing them one by one? Even if it is not a security flaw why making it easier for attackers especially when WordPress is such a big target?

Apply the WordPress Username Hacks and Monitor WordPress

As already explained there are a number of WordPress hacks you can use to make it more difficult for an attacker to guess the WordPress username. Even though they are not bullet proof it is still recommended to apply them because they can prolong a WordPress brute force attack.

Why Should You Prolong the WordPress Brute Force Attack?

When you prolong a WordPress brute force attack you are giving yourself more time to identify the attack and take the necessary evasive actions. For example if you keep a WordPress audit trail you can notice the attack in the logs at a very early stage. The less time there is available for an attacker to complete the attack, the more unnoticed their actions are and the higher the chances of a successful brute force attack.

Other Options to Protect the WordPress Login Page

There are several other options available that will help you boost the security of your WordP     ress login page. You can implement an additional layer of security by protecting the WordPress login page with HTTP authentication or you can implement two-factor authentication for WordPress.

Hence even though WordPress might not be taking the right stance on this one, or at least that is what many security professionals think, there are still a lot of options available out there.

WordPress Hosting, Firewall and Backup

This Website is:


Thiru 22/01/2016

Hi there, Nowadays we can change the default login page 🙂 There are lot pf plugins to change the login page.. I’m recommending ithemes security plugin.. It’s awesome 😀

Robert Abela 10/02/2016

Hello Thiru,

It is definitely a good option when you can. Many business websites have a lot of customization, hence such solution is not always possible.

Joe 26/03/2016

I am using the ‘login_errors’ filter to prevent WP from giving people clues about whether the Username and/or password they entered is correct to prevent easy discovery of valid usernames. My question is, how do you prevent WP from pre-populating the username field when valid usernames are entered? Or maybe even better, is it possible to change it so any username entered, valid or not, is pre-populated when there is a login error?

Robert Abela 13/04/2016

Hi Joe, unfortunately so far I haven’t seen any particular solution for such problem. Changing the error message is a good step but guessing the username is still relatively easy if it is pre-populated.

tone 16/05/2018

You can use an .htaccess rewrite rule to prevent this disclosure but you should also be sure to use nicknames to avoid disclosing usernames.
# Stop WordPress username enumeration vulnerability
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://yoursite.com/somepage/? [L,R=301]

Robert Abela 24/07/2018

Thank you for sharing Tone.

Leave a Reply

Your email address will not be published. Required fields are marked *