WordPress Username

  • Resolved affanabbas158

    (@affanabbas158)


    1 year, 1 month ago

    I recently observed a potential security loophole in WordPress where attackers can easily discover admin usernames. By searching for any post that displays the author’s name and clicking on it, they are directed to the author archive page. While this page lists all posts by that user, the URL itself also reveals the username.

    Since usernames are often half of the login credentials (alongside passwords), this could make brute-force attacks easier for malicious actors. Would it be possible to implement measures to obscure or hash usernames in URLs for better security?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Yui

    (@fierevere)

    永子

    1 year, 1 month ago

    You can use any of the many security plugins to hide usernames and forbid username discovery via REST API or XML RPC

    Check also SEO plugin settings, if usernames can be removed from post metadata

    Muhibul Haque

    (@devmuhib)

    1 year, 1 month ago

    Hi @affanabbas158

    As @fierevere mentioned, you can hide usernames using plugins or make it in hash format if you want. But these are not best practices in term of SEO. Because people may find interest to read content of specific author and that’s why search engines index author based posts and author archives.

    You will notice all popular social media has usernames exposed in their profile. As you are thinking this as security fact, yes, it’s considerable, but we can handle this in other ways. Here are some steps you can follow to reduce the risk.

    1. Change the admin login URL. By default it’s wp-admin, so you can use a plugins like WPS Hide Login to change login URL. This way they will have your user name, but they don’t know where to use it.
    2. Add captcha on login. Most of the time they use robotic attack, using a captcha method, you can prevent multiple attempts.
    3. Limit the login attempts, you will find different plugins that will help you to limit login attempts, so you can set 5 or 10 maximum attempts from an ip, then it will be blocked and only you can unlock from admin dashboard.
    4. Enable 2FA for login.

    Hope these will help you to reduce risk of exposing WordPress user names.

    Have a nice day!
    Muhibul

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘WordPress Username’ is closed to new replies.