Skip to content

How do hackers get usernames on your WordPress site?

Of course you chose a good password — one that potential hackers won’t be able to guess. And you also activated the feature of the iThemes Security plugin that blocks computers that have too many wrong login attempts from accessing your site. So you’re pretty safe from people trying to break in by password guessing.

But even if you have a good password, your site is more secure if potential hackers have to guess your username and password instead of just the password. My book suggests you enter a “display name” on your personal profile, to prevent your username appearing anywhere on the site.

But, even so, if you check your security logs, you might find entries like this:

LOg shows someone tried to login with your ID

Someone tried to login as “pamplemousse”, your supposedly secret username, and you know it wasn’t you! How did the hackers learn your username?

It turns out there’s a special URL in WordPress that you can use to display a login name. It goes like this:

Or other numbers instead of 1, but usually you, the creator of the site, are user number 1, so the above displays your posts. Try that now on your own website; it should display a page with all your posts, and notice the URL in the browser’s address bar:

Stupid old WordPress! You’ve let the cat out of the bag! Any hacker can easily discover usernames to try!

Fortunately, there’s a way to fix this. Install the plugin Stop User Enumeration by Fullworks Digital Ltd. It blocks attempts to use “author=” queries like the above, and also blocks another technique for getting the same information (which is more technical — so please just take my word for it).

Once you activate the plugin, it may put up a banner in your dashboard suggesting you visit the plugin’s Settings page. Do so, and enable the options “Stop REST API User calls” and “Remove numbers from comment authors” if they aren’t already checked.

Now, when anyone enters a query with a “?author=” some number, they’ll get a message saying “forbidden – number in author name not allowed“. If you previously tried this, and you try it again now, you probably won’t see this message, because your browser cached the result of your previous attempt. But refresh, or try it from a different computer, or with a different “author number,” and you should see the “forbidden” message.

Unless you have special reason to believe someone is specifically targeting your site, don’t worry that your usernames were previously exposed. Hacking is an automated mass process these days — a bot was trying to break into your site, just going down the list of a script that included trying the “author=” URL and then using the username from the URL to immediately try to login with that name and some common passwords. If it fails, it moves on to the next website. It doesn’t store information about your site for later attempts.

So, I wouldn’t bother to change your username in most cases. However, if you want to, the plugin Username Changer by Daniel J Griffiths will do it.