Over the years many WordPress websites have been hacked and most users complain they set “not-an-easy-to-guess” usernames and passwords which is indeed true, they did set such strong usernames but the question they forget to ask themselves after is “can the hackers find my username?”. YES!!!, they 100% can if you don’t take necessary precautions after setting up or installing wordpress. We have prepared this blog especially for those who have little or no idea securing their wordpress username.

Two methods of getting the username:

  1. Using the /?author=1 Parameter : Go on and try for yourself. Open your website www.mydomain.com and append /?author=1 at the end. For test purposes, we installed a wordpress on a test domain(www.kingsceltest1.com) so you can see for yourself :

 

What the query does in the image above is to bring up the first author(admin)post page which of course pulls up the admin username(kingsceltest). So forget about making your username difficult to guess. It’s right out there in the open!

2. The second method is using WordPress JSON REST Endpoints :

Visit the following URL on your WordPress site:

https://[yoursite]/wp-json/wp/v2/users/1

Replace [yoursite] with your site name. You should get something like this:

 

That’s it guys!!, you can see here your username is widely exposed to hackers.

WordPress exposes certain REST APIs by default and this allows anyone to enumerate the users via JSON.

 

How to fix this:

Method 1: The best and recommended solution by kingscel is to install the wordfence security plugin. To get it:

a. login to your wordpress dashboard>>plugins>>add new then search for wordfence in the search bar.

b. Click on install and hit activate!

Well done!!… Now follow instructions to configure as you deem fit for your website. Done

Note: wordfence Web Application Firewall (WAF) must be set to “enabled and protecting” in order for this to start working.

c. Now try any of the methods used above for getting your username by the hackers. You will get an error like this:

 

 

 

 

 

Method 2: Modifying .htaccess

Open your cpanel and navigate to your root directory(wordpress installation files), find and edit the .htaccess. Paste the following code at the end of the file :

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

save and exit.

 

Method 3: In cpanel navigate to phpMyAdmin

 

b. Find the wordpress database and choose the table with “_users” and click on edit on the admin row or user you wish to edit

 

c.  You can see the fields: “user_login“, “user_nicename” and “display_name” all have the same name or attribute.

 

d. Now make sure they are all different. In this case, we will maintain that of “user_login” since that is our actual username or login name(unless you wish to change). We will set “user_nicename” = “admin”(or anything you want) and “display_name” = “boondocks”(or anything you want).

Now let’s see the results after changing those two attributes in the database:

with “/?author=1″

with “/wp-json/wp/v2/users/1″

 

Well, that’s it!!! Now you can confidently say the hackers won’t find it easy finding your username. Cheers!!!