Title: Hide WordPress users Last modified: May 18, 2018 --- # Hide WordPress users * [rolf.databoss](https://wordpress.org/support/users/rolfdataboss/) * (@rolfdataboss) * [8 years, 1 month ago](https://wordpress.org/support/topic/hide-wordpress-users/) * We’ve launched a couple of sites for different clients and installed a limit login attempts plugin. But we’ve noticed that they tried to login with usernames that aren’t visible on the site but that are in the admin. How can I hide all usernames so that those hacking bots can’t find them? Viewing 6 replies - 1 through 6 (of 6 total) * [Alex Moise](https://wordpress.org/support/users/alexmoise/) * (@alexmoise) * [8 years, 1 month ago](https://wordpress.org/support/topic/hide-wordpress-users/#post-10294185) * Hi Rolf, * It seems that somebody (a bot?) managed to enumerate the usernames and tried to log in using them; That could be easily stopped using more than one method: * The simplest approach is to block the most trivial user enumeration at the server level, by adding the following code in the “.htaccess” file in your website root directory: * ``` # Stop User ID Phishing RewriteCond %{QUERY_STRING} ^author=([0-9]*) [NC] RewriteRule .* http://your-domain.com/? [L,R=302] ``` * Please beware that before adding this code to “.htaccess” you need to go to “ Settings” -> “Permalinks” and switch permalinks to any setting except the default“ Plain”, then you need to replace “your-domain.com” in the code above with your own domain name. * Another approach is to use a plugin like [WPBruiser](https://wordpress.org/plugins/goodbye-captcha/), which has an option named “Prevent User Enumeration” in its “Security” tab that literally “Prevents bots from enumerating users through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”. That’s a pretty easy and powerful thing to do, and there’s other security goodies included for website protection. * Good luck and have fun! I’d love to know which approach you choose and the results you get! Alex. * Thread Starter [rolf.databoss](https://wordpress.org/support/users/rolfdataboss/) * (@rolfdataboss) * [8 years, 1 month ago](https://wordpress.org/support/topic/hide-wordpress-users/#post-10294230) * Hi Alex, * Thanks for the response. Why is it that the usernames are that easy accessible? Wouldn’t it be smarter to fix that on the WordPress level? Especially with the gdpr-law coming up in Europe. - This reply was modified 8 years, 1 month ago by [rolf.databoss](https://wordpress.org/support/users/rolfdataboss/). * [Alex Moise](https://wordpress.org/support/users/alexmoise/) * (@alexmoise) * [8 years, 1 month ago](https://wordpress.org/support/topic/hide-wordpress-users/#post-10294290) * Welcome Rolf, * With such a vast array of situations where WordPress could be used it’s hard to predict all the things people could do to it, But the good thing is that it’s pluggable enough that it can be easily protected (beside turning it into… almost anything 🙂 ) * So, which approach would you choose from the above? Code or plugin? If you could disclose this, of course! * Cheers! Alex. * Thread Starter [rolf.databoss](https://wordpress.org/support/users/rolfdataboss/) * (@rolfdataboss) * [8 years, 1 month ago](https://wordpress.org/support/topic/hide-wordpress-users/#post-10294301) * Hi Alex, * We’ve found an approach that is more suitable for the many sites we have. Installing an extra plugin or editing the htaccess would take up too much time. * We’re gonna make an author.php and upload that to the (child)theme with the code: * ``` ``` * An upload only takes a few moments. * Greets, Rolf - This reply was modified 8 years, 1 month ago by [rolf.databoss](https://wordpress.org/support/users/rolfdataboss/). * [Alex Moise](https://wordpress.org/support/users/alexmoise/) * (@alexmoise) * [8 years, 1 month ago](https://wordpress.org/support/topic/hide-wordpress-users/#post-10294305) * Ahh, about the GDPR … I guess first technical solutions will start to show up across web in the form of functions developed by independent developers to cover various issues they encounter; then some of these functions will become more widely known, improved and used; then based on these some plugins will start to pop in the Plugin Directory … maybe some well-known plugins will include these… and so on, something like this. This is the way it evolves all the time 🙂 * [Alex Moise](https://wordpress.org/support/users/alexmoise/) * (@alexmoise) * [8 years, 1 month ago](https://wordpress.org/support/topic/hide-wordpress-users/#post-10294575) * Hi Rolf, thanks for coming back with a solution, * I understand the need to quickly upload the fix to a lot of websites, but I suspect redirecting user archives will not stop bots from enumerating your usernames ( read below why), * First, if you would like a quick solution easy to upload please use [this file](https://gist.github.com/alexmoise/d5d9073e6165d4e5ac098a184d5405e6/archive/20c822d4d3e3721154f58bbcc6fd1de7609cd05b.zip)– just unzip, then upload the “stop-wordpress-user-phishing.php” file directly in the /wp-contents/plugins/ directory of each website, then go to Plugins and activate this plugin, named “Stop Username Phishing”. * It’s just one step more than just uploading and it’s guaranteed to work (and tested). * If you would like to see what’s in the file before downloading please see it here: [https://gist.github.com/alexmoise/d5d9073e6165d4e5ac098a184d5405e6](https://gist.github.com/alexmoise/d5d9073e6165d4e5ac098a184d5405e6) * === * Now, why redirecting author archive to site homepage will not prevent bots from enumerate your usernames: The mechanism used by user phishing bots is a bit different and works _before that_; * These bots access the website using these URLs: * [http://your-domain.com/?author=1](http://your-domain.com/?author=1) [http://your-domain.com/?author=2](http://your-domain.com/?author=2)… and so on, * Then they get back from the website the address where the author archive is, which translates into something like: [http://your-domain.com/?author=1](http://your-domain.com/?author=1)- > [http://your-domain.com/author/admin](http://your-domain.com/author/admin) [http://your-domain.com/?author=2](http://your-domain.com/?author=2) -> [http://your-domain.com/author/anotheruser](http://your-domain.com/author/anotheruser)… etc. * But then, _the bot doesn’t actually follow that newly obtained link_; instead the bot removes the “[http://your-domain.com/author/”](http://your-domain.com/author/”); from the author archive URL sent by the website and stores the list of users; then accesses the “[http://your-domain.com/wp-login.php”](http://your-domain.com/wp-login.php”); and fils the username field with the username and the password with dictionary words … * So, we need to drop the communication right after receiving the request to access something that contains “?author=” – that’s way there’s a “die();” thing in the file above 🙂 * That’s all, hope it helps! Cheers! Alex. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘Hide WordPress users’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 6 replies * 2 participants * Last reply from: [Alex Moise](https://wordpress.org/support/users/alexmoise/) * Last activity: [8 years, 1 month ago](https://wordpress.org/support/topic/hide-wordpress-users/#post-10294575) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics