Millions of malicious bots scan WordPress sites for weak usernames and passwords to reveal vulnerabilities. If you’re certain your website is secure, fine, but just to be safe, you should probably read this post.
As great as WordPress is, there are a few things about it that seriously annoy me. While the razzmatazz of this CMS is impressive, you might be failing to notice some basic security settings that could make the difference between being hacked and being left alone.
Make no mistake – hackers will target ANY WordPress blog because the attempts are often made by automatic sub routines scouring the web daily for vulnerabilities.
These are called brute force attacks and that’s what I want to draw your attention to right now.
A tutorial video is included at the end.
WordPress Username Vulnerabilities
I’m guessing you have already changed your WordPress username from the default “admin” to something hard to guess?
Good, that’s a start.
But if I had a penny for every time a WordPress website owner didn’t change their user_nicename in phpMyAdmin I’d have enough to buy a good steak dinner.
It may be you’ve never even heard of user_nicename. That’s okay. Some of the top bloggers don’t even know about this.
Everything will become clear after I explain what this has to do with website security and how it concerns your URL.
WordPress User Security
Look at the screenshot below. What do you see in the last part of the URL?
In case the image hasn’t loaded, here’s a reiteration below:
That, my friend, is your WordPress username.
Even if you change it to something other than “admin” it will still show up in the author archive URL.
It’s a dead give away. Go to any WordPress site, and look for the Posted by section under the title of a post.
Unless the webmaster has already configured the database to show something different, you’ll be able to find out what that webmaster’s logging in name is!
This is a general WordPress problem that CAN be corrected in phpMyAdmin.
If you don’t take steps to resolve this now, you are leaving yourself wide open to potential attack.
Think about it: you’re giving potential hackers part of what they need to begin a brute force automatic hacking campaign to try and access your site!
Once they have your username, they just need your password (and most people use a weak password.)
You might get away with it, but is it worth waiting to find out?
The Fix: A Simple phpMyAdmin Tweak
If you follow the instructions I’m about to give you, it is possible to disguise your username by altering how the author URL/slug appears, thus hiding the real username you use to log in.
The screenshot below is from phpMyAdmin.
Notice how the user_nicename is identical to the user_login.
It uses “admin” in both instances.
This is our problem. You MUST change the user_nicename to something different.
It doesn’t alter your logging in credentials. It just hides your username from prying eyes.
You need to access the table wp_users in your main database inside phpMyAdmin.
If you use cPanel for hosting, you’ll find the phpMyAdmin icon under the databases section.
In the example, the database is called “wordpress”. Your database might be called something different.
Access the correct database and click wp_users.
Next, you’ll be presented with a row inside this table that you can edit by clicking the pencil icon in the screenshot below.
Then you can change the setting from “admin” (or whatever is showing up in the author archive URL) to something else.
I’ve replaced the defaults with the hyphenated example shown below. I’ve used small-biz-geek for my own website.
Your version of phpMyAdmin might be a little different depending on your host. Another way to edit the wp_users table is to click the “browse” icon shown in the screenshot below.
Click the icon and you can access and edit the rows containing the user_nicename.
InstantWP is another piece of software for simulating a localhost for WordPress and you can access the same if not very similar database settings from there.
Eventually, you want something that looks a bit like the screenshot below:
(Never use admin as your user_login. The example shown is hypothetical.)
I’ve produced a short video showing you how to solve the issue if my instructions are not clear:
Free WordPress Security Plugin
It is probably worth your while using the WordFence Security plugin for WordPress since this monitors all login attempts. many of these attempts will be the brute force hacker bots looking for weaknesses.
WordFence send you an email digest to let you know which usernames were used as part of a login attempt.
If you run a multi author blog, this is useful because it actually shows both authorised and unauthorised logins. If a fellow team member logs in, you’ll get an email letting you know.