One of the most common attacks on a WordPress install is a brute force attack. This is when a malicious visitor tries to log in with a username over and over again with different passwords until they get it right. The passwords usually come from a long list of commonly used passwords easily found on the internet. In order for this to work for our malicious visitor, they need to also know your WordPress username. Unfortunately, WordPress makes this very easy for them to obtain.
When you create a user, WordPress stores what it calls a nicename in the database. This is what WordPress uses to rewrite the URL for your author pages. WordPress creates the nicename by sanitizing the user log in the same way it sanitizes post names for permalinks. With this configuration, any time someone visits your author page, your username is exposed right there in the address bar. This gives malicious visitors a leg up in attempting a brute force attack. In fact, Google will even index these pages making it super easy for someone to uncover ALL of your usernames with one simple query in Google. Unfortunately, WordPress does not provide a way to easily change this.
First Deter Brute Force Attacks
The first step is to deter brute force attacks. The easiest way to do this is to install a security plugin. Lucky for you, I wrote a tutorial on how to stop WordPress brute force attacks. If you haven’t done this yet, go read that tutorial, follow the instructions, and then come back here. Take your time; I’ll wait.
How Do I Hide My WordPress Username?
That’s a great question. That is why you’re here after all. First, you stop WordPress from showing your usernames, and then, if you need to have dynamic author pages, you redirect your author links to somewhere else. Let’s start with stopping WordPress from showing your usernames.
Fix The WordPress Enumeration Vulnerability
That’s a lot of big words, I know. It’s really not so scary though. This is referring to the ability to reveal WordPress login usernames quite easily by simply incrementing a number in the following URI request www.yourdomain.com?author=1. Luckily, this is easy to circumvent. Put this code in the functions.php file of your child theme (credit: Perishable Press):
/**
* Block enumeration scan
**/
function tfr_check_enum($redirect, $request) {
// permalink URL format
if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();
else return $redirect;
}
if (!is_admin()) {
// default URL format
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
add_filter('redirect_canonical', 'tfr_check_enum', 10, 2);
}
Now any request to such a URI will return nothing. A blank page should show in the browser.
Change your user nicename
If you MUST have the dynamic author pages generated by WordPress, you MUST change your user nicename to something other than your WordPress login username. You can do this in one of two ways. The first way is by going into the database and changing it manually. However you access your database, go to the wp_users table and each user will have a user_nicename column. Just change that entry for each user and you’re on your way.
The other option is to add a field to change the nicename from the user admin panel. First we need the function to add the field to the user admin page:
/**
* Add nicename field to user admin page
**/
function tfr_add_nicename_field( $user ) {
$userdata = get_userdata( $user->ID );
?>
<table class="form-table">
<tr>
<th><label for="user_nicename"><?php esc_html_e( 'Nicename', 'textdomain' ); ?></label></th>
<td><input name="user_nicename" id="user_nicename" value="<?php echo esc_attr( $userdata->user_nicename ); ?>" /></td>
</tr>
</table>
<?php
}
add_action( 'show_user_profile', 'tfr_add_nicename_field' );
add_action( 'edit_user_profile', 'tfr_add_nicename_field' );
Then we need a function to handle what the user puts in that field. If it is left blank, we will use the nickname entry instead of the user login entry.
function tfr_update_nicename( $user_id ) {
if ( ! current_user_can( 'edit_user', $user_id ) ) {
return false;
}
$nicename = !empty( $_POST['user_nicename'] ) ? sanitize_title_with_dashes( $_POST['user_nicename'] ) : sanitize_title_with_dashes( $_POST['nickname'] );
$userdata = array(
'ID' => $user_id,
'user_nicename' => $nicename
);
wp_update_user( $userdata );
}
add_action( 'personal_options_update', 'tfr_update_nicename' );
add_action( 'edit_user_profile_update', 'tfr_update_nicename' );
Redirect WordPress Author Links
If you don’t need the dynamic author links, you should redirect those links somewhere else. Somewhere else? Where? That’s also a good question, but I’m going to leave that up to you. It really depends on your needs. You can redirect to an about page, a static authors page, or even the home page. For the purpose of this tutorial, I”m going to redirect to the home page. To accomplish this, add these two functions to your functions.php:
/**
* Filter author links on page
**/
function tfr_filter_author_link( $link ) {
return get_home_url();
}
add_filter( 'author_link', 'tfr_filter_author_link' );
/**
* Redirect author pages
**/
function tfr_disable_author_pages() {
if ( is_author() ) {
wp_safe_redirect( get_home_url(), '301' );
}
}
add_action( 'template_redirect', 'tfr_disable_author_pages' );
And there you have it. Your usernames should be good and hidden from anyone that’s looking for them. Comments, questions, or concerns? Leave them in the comment section below.
