You might think you’ve done everything right to secure your WordPress site. You’ve hidden your login page, changed default usernames, and made sure your admin area is locked down. But guess what? Hackers can still find your WordPress username, and it’s easier than you think. Here’s how they do it—and what you can do to stop them.
Two Main Methods Hackers Use:
1. Using the /?author=1 Query Parameter
Hackers can exploit a simple URL trick to discover your username. By adding /?author=1 at the end of your blog URL, they can be redirected to your author page, revealing your username.
Here’s how it works:
- They visit your site and add
/?author=1at the end of the URL. - The site then redirects them to your author page, displaying your username.
How to Fix This:
Fix 1: Modify Your
.htaccessFile This is a quick and efficient fix if you have access to the.htaccessfile. Adding a few lines of code will block anyone from accessing your username this way.Here’s the code to add:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]
This will redirect anyone trying to use the
/?authortrick back to your homepage.Fix 2: Add a Code Snippet to WordPress If you can’t modify
.htaccess, another option is to add a code snippet to your WordPress site. You can add this to your theme’sfunctions.phpfile or use a custom plugin.Here’s the code:
function redirect_to_home_if_author_parameter() {
$is_author_set = get_query_var( 'author', '' );
if ( $is_author_set != '' && !is_admin()) {
wp_redirect( home_url(), 301 );
exit;
}
}
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );
This snippet works the same way by redirecting suspicious requests back to your homepage.
Fix 3: Use Cloudflare Rules If you’re using Cloudflare, set up page rules or firewall rules to block access to the
/?author=1parameter. This is especially useful if you don’t want to mess with code.
2. Using WordPress JSON REST API
Hackers can also exploit the WordPress REST API to find usernames. By visiting https://yourwebsite.com/wp-json/wp/v2/users/1, they can see your username in plain text.
How to Fix This:
Fix 1: Disable the REST API Endpoints via Code You can block these API endpoints with a simple code snippet. Add this to your WordPress theme’s
functions.phpor use a custom plugin:
function disable_rest_endpoints ( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_rest_endpoints');
After adding this, your site will no longer expose your username through the REST API.
Fix 2: Block JSON API Requests via Cloudflare Alternatively, you can use Cloudflare to block any requests to the
wp-jsonendpoint. This method prevents unnecessary load on your server, especially if you’re dealing with a lot of bots.Use a firewall rule like this:
http.request.full_uri contains "/wp-json"
Set the action to “JS challenge” or “Block”. Be cautious, though—blocking the JSON API might interfere with some plugins, like Jetpack.
Conclusion:
While some may argue that revealing a WordPress username isn’t a big deal, why make it easy for hackers? By following these steps, you can protect your site from brute force attacks, reduce spam, and keep your site running smoothly.
Want more WordPress security tips? Check out our latest posts or contact me for a consultation at nikhilsoman.in.