Recently my friend came to me and related how hackers usually attacked his site using standard login names like “Admin”, “Administrator” but some had actually gotten his login name right. He asked how hackers were learning his admin username. Though I didn’t immediately have an answer, I came back to him about 30 minutes later and gave him the answer.
Most of the time hackers are attacking your site, they use standard login names like “Admin”, “Administrator”, or “Root”. If you use one of these as your admin login name, change it now. If not, you have little to worry about, until they discover your REAL username. When they get smart and start using your real login name, that sucks. I don’t care how long your password is, if they bang away at your server trying to get it with a brute force attack, give them long enough and they will find it.
Table of Contents
Here’s How They Do It
If they’re already on your site, typically they can go to any blog post, click on the author name, and which may or may not be the login name, which will take them to a folder that gives them your username. The author URL can also be found through Google. If you know how to do it, I don’t need to tell you. If you don’t, I don’t need to teach you or the people that would use it against you.
In both cases, you will get a URL that looks like www.sitename.com/author/username/ and it’s the username that is the actual login name.
Here’s How You Defend Against It
You can use Yoast’s SEO plugin (Which I highly recommend for SEO purposes) to disable author archives.
Disabling the author archives is a great way of protecting against this vulnerability if you only have a single-author blog. However, due to the fact that people may want to see all of an author’s posts in one place, it really isn’t appropriate for multi-author blogs
A method of protecting against hackers obtaining your user name that works for both single author and multi-author blogs is to install a plug-in called Edit Author Slug.
Once you create a new user in WordPress, you can go back and edit that users page and toward the bottom of their user page you will see a heading called “Edit Author Slug”. Using that, you can set your Author name to be anything you want. I recommend setting it to something other than your actual admin name.
Due to the fact that this works well with both single and multi-author blogs, this is the method I recommend.
Step By Step
- Make a backup of your Database.
- Install and activate the Edit Author Slug plugin.
- Create a new username, something not easily guessable, and give it admin (or whatever you think is appropriate) level access.
- Delete the old user and “Attribute all posts to:” to the new user. DO NOT DELETE THEM!
- Go to that user’s page and give it a nickname. I recommend using the old admin name so you don’t have to 301 redirect your author archive folders.
- Under “Display name publicly as” choose that nickname.
- Scroll down to “Edit Author Slug”
- Choose the old username or click the “Custom” radio button and type in another username.
- Click update profile.
Viola! You have now created a new user, hidden your username, and kept all your folders and posts in the same place that they were in before. Success!
If you don’t have a plugin to keep your site safe, I highly recommend using Wordfence. It’s free to use unless you want/need their advanced features and trust me, it can save your site. I’ve had a site get hacked and Wordfence helped me fix it almost effortlessly.