I received an alarming DM from one of my e-buddies, Darren of Small Biz Geek.
This is what it said…
Say whaaaaaaaaat?
Now, I will say this…
I know not to ever use “admin” for my username, and I’m aware of the nickname issue.
What’s the nickname issue, you ask?
Always change your admin nickname to something else, otherwise the name shown with your comments will be your username.
Go into Users from your dashboard, and edit your Admin user account. Make sure you change your nickname to something other than your username.
But I had already done that, so I wasn’t aware of any other username vulnerabilities.
Well there’s another one, and it’s a biggy!
The Byline Might Be Exposing Your Username
Darren figured out my login username for my new site, and he didn’t have to hack the database or go to great lengths to figure it out.
All he did was hover over a link in my author byline.
You might have the same vulnerability on your WordPress site, and there’s a very easy fix.
If you have “By [Name]” in your byline that usually shows up underneath your WordPress title, you might be exposing your admin username.
So I wouldn’t risk exposing anyone’s site that was vulnerable, the byline in the above example is not even hyperlinked, but I just wanted to show an example of what it would look like since I ended up removing my byline altogether.
Anywho…
Hover over that name in your byline. (Not all themes show the byline.)
You will notice it goes to http://yoursite.com/author/[name]
Whatever you see in the [name] is your login username.
How crazy is it that WordPress has not addressed this yet???? As if WordPress is not vulnerable enough!
And since most of us post using our Admin accounts, this is dangerous. You are basically telling the hackers of the world what your WordPress admin login username is.
So all they have to do is run their script to figure out your password. And if it’s super simple then it’s not hard for them to crack into your account.
For the record, hackers easily crack some passwords by running scripts that attempt to figure them out. They typically start alphabetically and go down the list.
a… aa… aaa… aaab… aaabbb and then they had numbers to the end.
Sounds tedious, right? But here’s the deal…
This is happening at a rate of million of attempts per second because it’s a script, so they can go through the millions of combinations VERY quickly.
It’s not like John (or Jane) 🙂 is sitting at your login screen manually entering each option. This process is totally automated!
Many WP blogs get hacked because they use “admin” as the username and then a super simple password. That’s why you should always use lowercase, numbers, uppercase and symbols.
If you’re using a password like happy123, then you’re begging to get hacked — especially if your username is exposed in the byline.
For the record, words that can be found in the dictionary are a big no-no — even if you add numbers at the end.
How to Hide Your Username In The Byline
This may seem intimidating at first, but it’s super easy and should only take you about 3-5 minutes.
Darren created a video that explains all this and shows you how to fix the problem. There are also text instructions below.
I would highly recommend you backup your database before making any changes. Pleeeeease!
Text Instructions
If you prefer text instructions, here ya go…
1. Login to your cpanel or hosting account control panel.
2. Go to PHPMyAdmin or whatever database software your host uses. It might just say “Databases.”
Your interface may also look slightly different. I’m on dedicated hosting, and my cpanel just got upgraded. The point is to find phpMyAdmin or your database icon.
You will see your WordPress database name(s) and any other databases you have setup. It should look similar to the image below.
3. Click the name of your database (or the plus sign next to it), and it will expand a list of all the tables inside that database.
4. Look for a table called wp_users (or something similar) and click it. This is where all your blog’s users are stored.
This will bring up a table of all the users in your WordPress database.
5. Find your username for your admin account and click Edit.
You should see a field called user_nicename and it will be the same as your login.
This is the culprit and what you should change IMMEDIATELY! Change it to “webmaster” or anything other than your login username.
6. Click “Go” or “Save” and that should be it.
Now if you use the byline on your posts, your username will no longer be displayed in the hyperlink.
It will show the name you just changed it to, which is OK because it’s not tied to any of your login details.
What Is The Purpose of The User_Nicename Field?
In case you’re worried about breaking something with this change, here’s some reassurance.
The user_nicename field was only created to simplify the URL of the author archives.
It’s a slug to make the author post archive link appear “nicer”, hence the name.
So if your username is something funky with symbols and hyphens, then the user_nicename will simplify the author post archive link (URL).
If you change the user_nicename, you are changing the URL of the author’s archives.
The good news is WordPress will automatically make this change dynamically so you won’t have broken links in your bylines.
But if you happen to manually link to all your author posts somewhere else on your site (rare), then you will have to change those links to the new one.
There really is no need for a byline when you have a single-author blog anyway. If you use Genesis themes like me, you can easily get rid of it by installing The Simple Edits plugin.
What If Your Theme Doesn’t Have a Byline?
This is pretty common today. A byline might not be coded into your particular theme.
However, even if the byline is not displayed, the author URL still exists because it’s part of WordPress’ dynamic code.
So you can still go to http://yoursite.com/author/[admin_username]. But if your theme doesn’t link to your author archives, then it would be nearly impossible to find.
Nevertheless, it still exists if you go to it manually. So I’ll leave that up to you to decide if you are going to change it or not.
—————-
Thank you, Darren for alerting me of this! This is such an important issue so I want to spread the word as you have done on your blog.
I can’t believe I’ve used WordPress all these years and have never come across this info! 😮
Look-a-here, ladies and gents! All WordPress users need to know about this. Please spread the word by tweeting the link below, especially if you have a website that targets bloggers.
[clickToTweet tweet=”WordPress is exposing your admin username! Here’s how to fix it!” quote=”WordPress is exposing your admin username! Here’s how to fix it.”]
Thanks for the info Lisa which was very helpful and easy to follow for a WP beginner like me. Have changed my user_nicename so that my admin username is now not being used in hacking attempts. Difficult to understand why the default setting is for the admin username to be used as the user_nicename.
I realise that I could have created another user with fewer privileges but I didn’t want to have another username and password to bother with.
Had been puzzled for weeks as to how hackers had discovered and were attempting to login using my obscure admin username. I had tried changing my admin username but I was surprised when the hackers used my new admin username on the next attack a short while later.
Hey Lisa. Just a quick message to say I received this post this morning again in my inbox. Don’t know if you sent it or just something to look at.
Also, while I’m here, on this post, a quick Q? When I’m in my php and changing my Username, there is also a password beside it, a crazy looking password (user-password). Is this created for us, or should it be a password I have created?
Hey Stephen, Sorry! just now seeing this. Yes, I don’t know why AWeber sent out an old message.
Annoying! Sorry about that.
I think that’s an auto generated created by WordPress but you can create your own. Did you get it figured out?
I did indeed Lisa thank you.
thank you. this worked!
But turns out that having your username isn’t as big a deal as some folks make of it, else every WP site on the planet would have been hacked because of it by now.
That’s very true, but I also know that some people don’t want their username that easily accessible no matter what.
Great post! I never knew this could be an issue. It’s time to go fix it. You are right! Many hackers can easily crack the password within minutes as their automate tools try thousands of options at a time. I would also add that bloggers better use a captcha or some other tool to add another step before logging in. It may seem like not much security but the tools can’t always get around the captcha and spam blockers. That also can keep your WordPress site safe from both hacking and spam comments. Thanks for the great tip, Lisa! I’m off to secure my site now!
Hey Lisa.
This is the biggest flaw in the wordpress security. Additionally What I like to do is lock the WP-Admin folder with password so when someone is trying to loginto the wordpress login area they have to put the folder password as well. I have also tweaked some things and It will hide the author name completely.
Have to say this method is really simple . i would give this a try.
Thanks for the share.
Thank you, thank you, thank you! Although I don’t use the Admin username, my by line was giving these folks an open invitation to try to hack my account. I never liked the fact that my username was viewable with a mouse over, but didn’t know what I could do about it.
I use the Limit Loin Attempts plugin and was amazed at how many times the same IP address tries to gain access. Don’t these folks have anything better to do?
Anyway, your instructions were clear and to the point. So clear that even I was able to follow them without compromising my site. 🙂 Thanks again!
Hey Lisa,
This is great Article I would say. May I know how can I change login username.
This was really helpful. My site is under maintenance for a rebrand, and I just realized I forgot to change my author name to a display name, so my actual admin name was showing! I fixed that and luckily, it’s not hyperlinked.
Gosh, thank you! I hovered and saw my user name. Grrr. I was able to fix it following your screenshots.
Sweet!! Glad it worked!
Hi Lisa
I had an “Admin” user name this time last year and a nice Russian man showed me that was not a good thing to have. OMG you never want that to happen to you. It took months to resolve.
Anyhow I now use the free version of the wordfence security plugin. It locks out anyone having 10 or more login attempts. When you look at the logs, its amazing to see how many hacking attempts ou get each day.
Ian
A big overkill, you could simply block access to your wp-admin page with the use of password and username. So before any bot of person could even access your wp-admin page they would need to enter a first tier user name and password. Pat Flynn does this. I’ve done this too for websites as well.
I hear ya. I just don’t want my admin name in the link regardless. Thank you for the suggestion.
Thank you Liza for your very informative post , I’m going to make changes in my wordpress account.
Hello Lisa,
Awesome post up here 🙂
Changing our admin is smallest thing we can think of but it can over turn the whole scenario.
Its good to read that I can change my login name rather than changing my name. Feeling of relief.
Thanks for the wonderful share.
Happy Blogging.
Shantanu.
Whoa! Thanks to the both of you for sharing, Lisa! I’m still working on my site, so I haven’t really publicized it yet. But I know that doesn’t mean much because already it’s live. I’m so noid about getting hacked that I should’ve at least known this quick and easy fix. Sooo appreciated!
Grrrrr, always fecking something. Cheer for the heads up Lisa.
LOL, so true. No problem Stephen!
For the more faint of heart there is also a plugin that will take care of this. It’s called Edit Author Slug. Here is the link. https://wordpress.org/plugins/edit-author-slug/
Great suggestion. Thanks, Larry.
Thanks Larry – I was about to ask Lisa about a suitable plugin 🙂
Hi Lisa,
Thank for giving us attention on this. I can see people can click on my name and the url did mention my username there. Terrible! I will need to fix this immediately.
Thank you.
Thanks for the information, Lisa. I’m always concerned about my websites’ security, ever since I had a couple of my sites hacked into several years ago (it is a nightmare). I now always install security plugins that include brute force protection, but still, when you have something like this kind of situation where your login name is out there for anyone to peek at, it’s like walking around in public with your drawers exposed.
Drawers exposed! LOL!! Love this analogy!!! 🙂
WOOOOOW!!!! Thank you for this post! God was in my mind “You need to check Lisa’s blog” lol. Went to my site, and sure enough, it happened to me!
Almost had a Heart Attack because of it lol
Glad “He” sent you here! 🙂
Amazingly my tech guy has been telling me that we must change the “admin” on my wordpress sites however never though of it as priority and he was being a bit OTT – however onto it now after your article . Many thanks for prompting me to listen.
WordPress needs to fix it so that username (admin) cannot even be used when installing. There are so many things they (WordPress) could do at the core that will help make it more secure but they don’t seem to do it.
Hi Lisa,
I knew you could read minds :-D.
Just last week I was looking at the exact same thing and saw that WP displays my user login name, which is completely different from my real name together with my name at the bottom of my posts and thought to myself if anyone realized that’s my username they can just copy and paste and click on forgot password. And they’d be right where I don’t want them to be.
I tried to fix it inside my WP dashboard and never even knew it should be changed in phpMyAdmin but with your pics it was super easy to do.
Thanks a million
Good to know my mind-reading skills are improving! lol You’re very welcome!
Hi Lisa,
Thanks for sharing this. I know that MaAnna talked about this in the past so I’m glad more people are finding out through your post.
Darren always has great tips!
No problem! Well I sure wish I had seen MaAnna’s advice ’cause I had noooo idea!
Hi Lisa,
Just wanted to comment on your constant helpful information. Everything from your Facebook T-Shirt account to your Blog you never cease to give very helpful information. Love your people skills and your love for helping web based business owners.
Awww thanks so much!
Thanks! Instead of changing my nice name, I changed my log in name. I’ve been meaning to do that anyway. 🙂 Thanks for the info!!!
No prob!! That’s a good solution too. Cheers!
I went through the roof when I first found out about this years ago. If my online bank leaked half my login I’d find a new bank. But the WP core devs don’t seem to think it’s much of a problem. When I brought this up, they just shrugged.
But turns out that having your username isn’t as big a deal as some folks make of it, else every WP site on the planet would have been hacked because of it by now.
The best thing you can do is have a super duper strong password and use some type of Brute Force protection to limit how many times a wrong combo can be put in by the hacker algorithm machines before they are locked out. I use Login Lockdown for this. Simple, lightweight, and effective. Limit Login Attempts has not been updated in years, but works the same way. I think someone may have forked development on that base code, though, but haven’t checked it out.
That’s how I felt when I first realized it!! True, a strong password is key but wow… that just didn’t sit right with me when I realized that. Great tips, MaAnna. Thanks for the plugin recommendations too!
This was really helpful. My site is under maintenance for a rebrand, and I just realized I forgot to change my author name to a display name, so my actual admin name was showing! I fixed that and luckily, it’s not hyperlinked.
A good security plugin like iThemes Security can also automate this fix.
Thanks for the tip, Gareth!
Thanks for helping to spread the word on this issue, Lisa, and thanks also for the links.
I’ve been trying to warn people about this user_nicename fix for years.
I guarantee, you’ll never look at another WordPress site the same way. You’ll be doing what I do and checking their author archive URL to see if the WP username is revealed!
I just can’t believe I’ve never come across this. I’m so glad you alerted me, Darren otherwise who knows when I would have discovered it.
Very good post. Thank you Lisa.
Another easy fix is to create an author login for you site that doesn’t have admin privileges.
Good point!! Didn’t think of that! Thank you.
Don’t forget to exclude authors from the sitemap in that case otherwise the username with admin privileges can still be picked up.
I’d still prefer the nice name update fix regardless, as all too often the username is the same as, or similar to, the actual website name.
I actually decided to update the username instead of the nice name in my website via the database. Similar fix except that the author URL remains the same.
Thanks for sharing this helpful article.
Awesome tip!! I love that you all are sharing additional tidbits I never thought of!!