How to Stop Hackers From Easily Finding Your WordPress Username

You might think you’ve done everything right to secure your WordPress site. You’ve hidden your login page, changed default usernames, and made sure your admin area is locked down. But guess what? Hackers can still find your WordPress username, and it’s easier than you think. Here’s how they do it—and what you can do to stop them.

Two Main Methods Hackers Use:

1. Using the /?author=1 Query Parameter

Hackers can exploit a simple URL trick to discover your username. By adding /?author=1 at the end of your blog URL, they can be redirected to your author page, revealing your username.

Here’s how it works:

  • They visit your site and add /?author=1 at the end of the URL.
  • The site then redirects them to your author page, displaying your username.

How to Fix This:

  • Fix 1: Modify Your .htaccess File This is a quick and efficient fix if you have access to the .htaccess file. Adding a few lines of code will block anyone from accessing your username this way.

    Here’s the code to add:

				
					RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

				
			
  • This will redirect anyone trying to use the /?author trick back to your homepage.

  • Fix 2: Add a Code Snippet to WordPress If you can’t modify .htaccess, another option is to add a code snippet to your WordPress site. You can add this to your theme’s functions.php file or use a custom plugin.

    Here’s the code:

				
					function redirect_to_home_if_author_parameter() {
    $is_author_set = get_query_var( 'author', '' );
    if ( $is_author_set != '' && !is_admin()) {
        wp_redirect( home_url(), 301 );
        exit;
    }
}
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );

				
			

This snippet works the same way by redirecting suspicious requests back to your homepage.

  • Fix 3: Use Cloudflare Rules If you’re using Cloudflare, set up page rules or firewall rules to block access to the /?author=1 parameter. This is especially useful if you don’t want to mess with code.

2. Using WordPress JSON REST API

Hackers can also exploit the WordPress REST API to find usernames. By visiting https://yourwebsite.com/wp-json/wp/v2/users/1, they can see your username in plain text.

How to Fix This:

  • Fix 1: Disable the REST API Endpoints via Code You can block these API endpoints with a simple code snippet. Add this to your WordPress theme’s functions.php or use a custom plugin:

				
					function disable_rest_endpoints ( $endpoints ) {
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_rest_endpoints');

				
			

After adding this, your site will no longer expose your username through the REST API.

  • Fix 2: Block JSON API Requests via Cloudflare Alternatively, you can use Cloudflare to block any requests to the wp-json endpoint. This method prevents unnecessary load on your server, especially if you’re dealing with a lot of bots.

    Use a firewall rule like this:

				
					http.request.full_uri contains "/wp-json"

				
			

Set the action to “JS challenge” or “Block”. Be cautious, though—blocking the JSON API might interfere with some plugins, like Jetpack.

Conclusion:

While some may argue that revealing a WordPress username isn’t a big deal, why make it easy for hackers? By following these steps, you can protect your site from brute force attacks, reduce spam, and keep your site running smoothly.

Want more WordPress security tips? Check out our latest posts or contact me for a consultation at nikhilsoman.in.

Share this post:
LinkedIn
Twitter
WhatsApp
Facebook
Reddit
Telegram
Email
Branding Strategist & SEO Expert | WordPress Developer | Helping businesses grow with design, content & search visibility 🚀
Nikhil Soman

Nikhil Soman is an experienced SEO Expert  and Freelance Web Developer in Kerala, India, specializing in Growth marketing, WordPress website development, UI/UX design, and digital marketing. With over 8 years of experience and a portfolio of 300+ delivered projects, he helps businesses grow through effective SEO strategies, engaging content, and modern, user-friendly web design. Known for his creativity, technical expertise, and commitment to quality, Nikhil delivers digital solutions that enhance online visibility, drive traffic, and achieve measurable business growth.

1
Call Now Button