How WordPress Exposes Your Admin Username & How to Fix It!
Home
What’s New
Start Here
Contact
2 Create a Website Blog
How WordPress Exposes Your Admin Username & How to Fix It!
Filed Under: Blogging, New
52 Comments
I received an alarming DM from one of my e-buddies, Darren of Small Biz Geek. This is what it said…
Say whaaaaaaaaat?
Now, I will say this… I know not to ever use “admin” for my username, and I’m aware of the nickname issue.
What’s the nickname issue, you ask? Always change your admin nickname to something else, otherwise the name shown with your comments will be your username. Go into Users from your dashboard, and edit your Admin user account. Make sure you change your nickname to something other than your username.
But I had already done that, so I wasn’t aware of any other username vulnerabilities. Well there’s another one, and it’s a biggy!
The Byline Might Be Exposing Your Username
Darren figured out my login username for my new site, and he didn’t have to hack the database or go to great lengths to figure it out. All he did was hover over a link in my author byline.
You might have the same vulnerability on your WordPress site, and there’s an easy fix. If you have “By [Name]” in your byline that usually shows up underneath your WordPress title, you might be exposing your admin username. So I wouldn’t risk exposing anyone’s site that was vulnerable; the byline in the above example is not even hyperlinked, but I just wanted to show an example of what it would look like since I ended up removing my byline altogether.
Anywho… Hover over that name in your byline. (Not all themes show the byline.) You will notice it goes to http://yoursite.com/author/[name]. Whatever you see in the [name] is your login username.
How crazy is it that WordPress has not addressed this yet???? As if WordPress isn’t vulnerable enough! And since most of us post using our Admin accounts, this is dangerous. You are basically telling the hackers of the world what your WordPress admin login username is. So all they have to do is run their script to figure out your password. And if it’s super simple then it’s not hard for them to crack into your account.
For the record, hackers easily crack some passwords by running scripts that attempt to figure them out. They typically start alphabetically and go down the list: a… aa… aaa… aaab… aaabbb and then they had numbers to the end. Sounds tedious, right? But here’s the deal… this is happening at a rate of millions of attempts per second because it’s a script, so they can go through the millions of combinations VERY quickly.
It’s not like John (or Jane) 🙂 is sitting at your login screen manually entering each option. This process is totally automated! Many WP blogs get hacked because they use “admin” as the username and then a super simple password. That’s why you should always use lowercase, numbers, uppercase, and symbols. If you’re using a password like happy123, then you’re begging to get hacked—especially if your username is exposed in the byline.
For the record, words that can be found in the dictionary are a big no-no—even if you add numbers at the end.
How to Hide Your Username In The Byline
This may seem intimidating at first, but it’s super easy and should only take you about 3-5 minutes.
Darren created a video that explains all this and shows you how to fix the problem. There are also text instructions below.
I would highly recommend you backup your database before making any changes. Pleeeeease!
Text Instructions
- Login to your cpanel or hosting account control panel.
- Go to PHPMyAdmin or whatever database software your host uses. It might just say “Databases.” Your interface may also look slightly different. I’m on dedicated hosting, and my cpanel just got upgraded. The point is to find phpMyAdmin or your database icon.
You will see your WordPress database name(s) and any other databases you have setup.