There’s a simple way for hackers to phish your username and then attempt to log in through your log in page.
First, finding your WordPress log in page is as easy as typing in this:
yourdomain.com/wp-login.php
Second, they can phish for your username by entering what’s called the author archive’s URL into the address bar:
yoursitename.com/?author=1
All hackers have to do is change the author number until the usernames come up. When I tried this on two different sites I have admin access to, not only did the usernames of authors come up, but the usernames of subscribers were also exposed.
As I changed the author number, the subscriber names either popped up on the web page with “Archives for” preceding the name (even though there are no archives/content for the names), or they appeared in a drop down box beneath the address bar, or in the browser tab.
Avoid the Danger of Username Theft
In the meantime, when an author is identified with admin rights, the hacker can attempt to access your site by brute force password attacks. This loophole for finding usernames in WordPress sites confirms the danger of two things.
1. A weak password needs updated.
WordPress offers password strength help here.
Your WordPress password is easily changed in your Users Profile under About Yourself.
2. For your username, don’t choose author name, admin, administrator, or any one of the targeted usernames.
See the list of targeted usernames in the recent brute-force attack here.
Your username can’t be changed in your WordPress profile. Follow my simple steps in How to Change Your WordPress Username through your Cpanel.
For every loophole there is an equally effective loophole filler. In a perfect World Wide Web, that is. Staying abreast of countermeasures against hackers requires constant vigilance and a few WordPress plugins to keep the invasion at bay and your usernames safe.
Keep Hackers Away With a Safe Slug
While the World Wide Web isn’t perfect, there are steps you can take to keep your site secure. The WordPress plugin that works to keep your usernames safe is WP Author Slug.
By automatically creating a different display name from the username, hackers are prevented from figuring out your log in name through the author archive’s URL. Instead, the URL will show a set display name and not the username that’s used to log in.
In case you’re wondering, the author “slug” is also known as your “nicename” and is the URL-friendly version of the website title with the author name. It is automatically generated by WordPress to look like this: example.com/author/authorname.
Just wanted to clear that bit of potential slug-confusion up. Nothing like visions of a slimy slug in your URL to ruin your day.
Good luck keeping your WordPress site secure and the loopholes plugged with safe slugs.