How to hide WordPress usernames and prevent enumeration?

‘admin’ is the default WordPress administrator. Many WordPress users don’t know how to change it and thus leave this admin username to the default. For higher level of security, you should change it. Check out this easy-to-follow tutorial to change or delete WordPress admin username. Basically you need to create a new admin user account to replace the default admin account. Many WordPress themes have the options to help you hide WordPress usernames in WordPress posts and pages. However by disabling WordPress posts’ meta information can’t help prevent enumeration of usernames on your WordPress site. There are WordPress scan tool can determine WordPress usernames automatically through the ID and username enumeration method. Every user or author in WordPress site has its own unique ID number. For example, the administrator’s ID is 1 and you can simply visit http://yourwordpressite/?author=1 in a browser window to get directed to http://yourwordpresssite/author/admin and find out the admin user’s real username from the URL address provided you have already turn on pretty permalinks from WordPress dashboard. Similarly, people can visit http://yourwordpressite/?author=id to find out other WordPress users and author names.You can also find all users’ IDs from dashboard, check out this guide to find out WordPress author ID.

change wordpress admin login username

How to hide WordPress author names and prevent usernames enumeration?

As we mentioned above, you need to firstly hide author info in posts and pages in WordPress theme setting if it is not hidden by default. Then go to create a new administrator account with a name hard to guess and delete the default admin account. If your WordPress site is hosted on Apache server, add below code to the .htaccess file to block user ID phishing requests and prevent username enumeration.

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ http://yoursite/somepage/? [L,R=301]

If you can’t find the .htaccess file in your hosting account, make sure the option to display hidden files is turned on. Once you have confirmed there is no such file under your WordPress base folder, you can create the .htaccess file on your computer, then add the above code to it and upload it to your server through FTP to stop WordPress username enumeration vulnerability. Also your web host may also offer online file manager tool which you can use to create this system file online.

Set a different nickname for WordPress users
You should set a different nickname from WordPress username. This simple solution can also make it more difficult for hackers or other people to guess or scan your real WordPress username.

Last but not least, just because someone can guess your WordPress username, doesn’t mean your site is insecure. If someone want to hack into your site, they would still need to steal or hack your password. So do not forget to choose a hard-to-guess strong password for your WordPress site.

One comment

  1. The last rule that you mention above:

    RewriteRule ^ http://yoursite/somepage/? [L,R=301]

    stays untouched, or you have to change it to reflect your site?
    For example if your site its,
    to make it:

    RewriteRule ^ [L,R=301]

    Something else.
    Do we also have to make a rule for the wp-login.php to reflect the above?

    RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
    and add:

    RewriteCond %{REQUEST_URI} !^/wp-login.php [NC]

    Last Question:
    If we hide our login page with a plugin and we create for example a login page /myownlogin

    Can we/do we have to create for extra security a rule for that too?
    for example:
    RewriteCond %{REQUEST_URI} !^/myownlogin [NC]

    Thanx in advance

Leave a Reply