There are bots out there, roaming the Internet poking at websites, trying to break in. These aren’t ninja assassins coming after you in particular — they’re more like thieves wandering down the sidewalk looking for cars whose doors are unlocked.
Normally, a hacker needs two pieces of information to break in — your login name (or email address) and password. If you have a strong password, and a security plugin to track how many times a login has been tried from the same address and shut them down completely after a given number of tries, you’re pretty safe. Two-factor authentication, of course, also makes your site much more secure, if you think it’s worth the hassle.
There’s another thing which may or may not be worth the hassle, depending who you ask. Keeping your login username secret makes it harder for hackers to mount a brute force attack because they have to guess two secret “words” instead of one. Why give away half the information needed to break into your site, folks reason.
The situation and solutions are described in more detail here.
TL;DR: there are measures to protect usernames, and the plugin reviewed here is one of them. However, WordPress wasn’t designed to keep this information secret, and there are many ways usernames can “leak”, especially through plugins. Some experts advise it’s better to just install a good security plugin and use it block brute force attacks and to mandate tough passwords.
Still, we are talking bots here, not human expert hackers who’ll prod at every aspect of your site. If you want to make things a little harder for them, there are three things you can do to baffle most bots and probably reduce the number of brute-force bot attacks to zero:
- When you install WordPress, choose a username different from the name you want shown to the world, but not so different as to make people wonder what you were thinking, should they happen to see it (e.g. if you are Franklin Mott, maybe frmott. Then, edit your user profile information (click your name on the upper right in the WordPress dashboard), and change your display name to the name you want people to see.
- If you use Yoast SEO to generate sitemaps, disable the author sitemap, which exposes usernames. Bots know to look for this.
- Turn off a feature that lets bots learn usernames by asking what name corresponds to a user number — user number 1 is generally the administrator as that is the first ID created when you install WordPress.
To test whether this third aspect is locked down, issue a URL such as:
Unless you’ve done something to prevent it, WordPress helpfully redirects the URL to:
thereby revealing the login name of your administrator user. If there’s no user 1, the bot can try author=2, etc, until it finds all the usernames on your site.
The Stop User Enumeration plugin by Fullworks blocks that by making WordPress not redirect the URL. All the potential hacker has is a user number, which isn’t useful for breaking in.
NOTE: The Yoast SEO plugin, if you use it to generate a sitemap, creates an author-sitemap.xml file that contains all your site’s usernames. Bots also look for this information. The author part of the sitemap isn’t helpful unless you have multiple content authors on your site and you want to rank them. So you need to do one of two things:
- If you don’t need the author part of the sitemap, deactivate just that part. In your dashboard, go to SEO > Search Appearance and disable “Author archives.” This is what I normally do. If you don’t know whether you need the author sitemap, you don’t need it.
- If you want the author part of the sitemap, use a different tool than Yoast to generate it. In your dashboard, go to SEO > General, Features tab, and disable XML sitemaps. Then find some other plugin to create your sitemap the way you want it. I don’t currently have a specific recommendation; if you do, please comment.