Hacking Attempts – Hide username?

   Login Using:

Forums WordPress Security Hacking Attempts – Hide username?


This topic contains 2 replies, has 2 voices, and was last updated by  NickR 2 years, 5 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #1140



    First, I’d just like to thank you for providing such an awesome guide to WordPress Security. I’ve just downloaded it and have yet to digest all of the incredible information you have provided. Please forgive me if the answer to my question is included in the guide but I have an immediate concern that I would like to address as soon possible. If you could point me in the right direction that would be appreciated.

    I run a number of WordPress based sites and I have the “Login Lock” plugin installed on them all. I regularly receive emails from the plugin telling me that there’s been a malicious attempt to log in to my site. I’m not usually concerned by this because I have the plugin set to only allow 4 log in attempts then ban the I.P. address for a week.

    Also, the malicious attempts usually target the username “admin” which I don’t use. I have a completely unique username and, in the user profile settings, I have it set to publicly display a different nickname. So, in theory, nobody should be able to detect my actual log in username.

    Just recently however I have noticed an increasing number of attempts to log in using my unique username which is not publicly visible. How is it possible for someone to discover this username and how can I protect it from being seen?

    Keep up the good work.



    Hi Nick,

    It is a best practice to create different users for different purposes and use them only for their intended purpose. Note that we have not yet written our article on this topic so you will not find this on our site our in the checklist today.

    You should create one user with administrative rights and ONLY use this user for doing your site admin.

    You should create a user with Editor rights and ONLY use this user for posting articles etc. on your site.

    Your username might still be exposed via the author archive page.

    Try this url for your domain: http://www.yourdomain.com/author/username and see what you get.

    You can test for different user id’s by using the url: http://www.yourdomain.com/?author=1 …?author=2 etc.

    You can turn off the author archives and redirect any ?author=# requests to the home page.

    If you use Yoasts SEO plugin you can find a setting under “Titles Metas” -> “Other” -> “Disable the author archives”.

    Alternatively you can use .htaccess. Add this code:
    RewriteRule ^author/(.*)$ http://example.com/ [R,L]

    We recommend that you use some kind of “login lockdown” plugin to stop brute force attacks.

    And we also recommend that you use WP Login Security. This plugin is quite clever. If someone logs into your website from an unknown IP address it will email an authentication code to the registered email address of the user. Until that code is entered the person cannot log in. So even if someone manages to crack your username/password they can still not login unless they have accress to the email account as well.

    You can read a little bit more on this topic in this support post on WordPress.org.

    I hope this answers your question.



    Hi Anders

    Great answer!

    Entering http://www.yourdomain.com/?author=1 …?author=2 etc… does indeed expose the username.

    I’ll get to work on implementing your suggested solutions.

    Thanks a lot :-)

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.