Have you ever seen nightmare in broad day light?
Don’t get me wrong. I haven’t lost my mind neither I’ve gone insane.
If you were me, you would have acted the same way like I did when one of my WordPress blog got hacked. Trust me it’s not fun at all if your website gets hacked.
WordPress Security vulnerability has always been a nagging issue. If you’re using WordPress as a CMS , you got to be very careful and should take every possible measure to strengthening your WordPress security. Among many loopholes, WordPress login username is one, which could be easily identified via author archive page’s permalink and can be compromised by a hacker. You can check it by yourself here;
If you go to author archive page let’s say its Admin/john/angel whatever it may be, it will show on username place and can easily be identified. Once the hackers have your username it becomes easier for them to use boot force and crack your password.
Let me explain in detail.
When you sign up for a new user account on WordPress you are assigned a username which is basically login name and a password.
There is a folder is WordPress database name wp_users which has different elements like
User_login User_pass User_nicename user_email
When a new username created the WordPress database gets populated with relevant credentials. Where User_login (username) and User_nicename which is basically author name by default get populated with same username credentials. We cannot change that at the time of signing up nor from the WordPress dashboard menu.
Here’s an example to make things more clear.
Suppose you sign up for a new user account named angelina. By default user name and author name become ‘angelina’ and author permalink looks like;
As I mentioned before, unless you alter author name credentials it takes second to figure out the username is ‘angelina’ for a hacker. If the username has a weak password the game becomes easier for him to get in to your WordPress dashboard with little tricks.
The only possible way out here is to change the User_nicename completely deferent from username. If they are different then it won’t be possible for anyone to know what the actual username is. Your WordPress become more secure and hacker don’t stand any chance to get through your security measure.
For example, user_nicename is ‘angelina’. Now if we change it to say ‘amanda’ the author archive page URL becomes http://yoursite.com/author/amanda for the user angelina. Now it’s simply not possible for anyone to guess the actual username.
Here comes the question how you can change the user_nicename as I said before there is no option in WordPress dashboard to do that.
Well, you need to have access to your cPanel. Just follow the below mentioned process to make a small amend in your WordPress database.
- Login to your cPanel
- Go to phpMyAdmin
- If you have multiple databases loaded (more than one WordPress blog) choose the right database.
- Select and edit the username you want to alter
- Change the User_nicename something else just different from User_login
- Hit on ‘go’ button to save the change you made
There are some extremely important things you need to keep in mind while changing user_nicename otherwise it may effect you heavily.
- User_nicename could be changed to anything. Practically anything but it is highly advisable to keep it simple like a name to make it search engine friendly.
- Do not use any space between words. Suppose if you choose a name like ‘Amanda Bryan’ type without giving any space, – or numbers in-between name and surname i.e AmandaBryan or Amanda-Bryan. Otherwise it will return as 404 errors! It will effect immensely because every time crawler reaches there will return with 404 errors causing massive damage to site’s SEO performance.
- You can use numbers, letters, _ or – but it’s not advisable to use any special character. Example, ‘Amanda-Bryan’ is good to use.
- Not case sensitive at all. ‘Amanda’ or ‘amanda’ both read same way in the archive URL.
- Now there is another critical part to notice. After updating User_nicename check with Google indexing whether previous (old) author archive page is still indexed or not. Make a search with, http://yoursite.com/authour/oldusername. If it’s still there on Google search result then you have to make a link removal request through your Google Webmaster Tools account.
- Do you know after making so much effort still there is another loophole which might leak your WordPress login username! Trust me I don’t have any intention to scare you. I’m just trying to make you remember to check your WordPress dashboard user menu for ‘username and ‘Nickname’ they still may be the same which will reveal on author archive page as writer’s name and page title of your browser.
Go to WordPress dashboard>Users>Select the user you want change nickname and display name publicly as>Alter the name.
- Finally you completed all necessary steps to secure your WordPress by hiding WordPress login from Author Archive. Now check with updated author name whether it shows or not. If it still displays old username don’t worry, clear your browser cache and repeat the process and it will show the updated author name.
This was it. I hope now you can hide your author archive page and secure wordpress from hacking. This is the first article of our WordPress security guide series. Stay tuned for more tips to make your WordPress bulletproof. If you still need any further assistance to complete the above mentioned process feel free to ask in comment section.