How Your Author Slug Is Exposing Your WordPress Admin Username & How to Fix it

Your WordPress website is protected by two pieces of information, your Admin username and your password.

Someone would need to get access to or guess both pieces of information to successfully hack into your website and access the Admin dashboard.

So why are so many WordPress website owners exposing their Admin usernames and tempting hackers to take control of their websites?

The truthful answer is because they are probably unaware of the username vulnerability in the WordPress core software, that is exposing their username for all to see.

Don’t worry i was completely shocked when I discovered this but fixing it is fairly simple and I’ll explain it step by step so you too can protect your WordPress website.

Before we get started let me explain a few things.

WordPress has some pretty awesome built-in features and one of my favourites it the Permalinks settings.

The permalink setting is an easy way for you to have WordPress create SEO friendly and easier to remember URLs for all of your blog posts and pages.

What I’m talking about is the bit that comes after the domain name.

Take this URL as an example:
https://urmilpatel.com/day-10-quick-review/

The permalink setting controls the bit that comes at the end of the domain name after the forward slash. i.e. “day-10-quick-review” in this example.

This part of the URL is also know as the URL slug.

Now the permalink setting only controls the URL slugs for posts, pages and categories but NOT for Author archive pages.

This is where the vulnerability lies, it’s the URL or author slug of the Author archive page that gives up your username by default.

Every blog post on a website is created and published by a particular user. That user becomes the author of the blog post.

Each author has an archive page that essentially lists all of the posts they have published and it’s the URL of that page that reveals your username to all to see.

The Author archive page URL looks something like this:
https://yourdomainname.com/author/[name]

The “author” part of the URL is known as the author base.
The [name] part at the end of the URL is known as the Author slug.

If you haven’t manually changed the setting that controls the Author slug, then by default it will expose the username of the author.

And since most people publish blog posts using their Admin user account, they are unknowingly telling everyone their WordPress admin username.

What’s worse is that by leaving the Author slug setting as the default, your username could find its way to being saved on the internet permanently at caching websites that periodically take snapshots of websites to keep am archive of the web.

Here’s a screenshot that I was surprised to find that exposed my username. I’ve changed it now thankfully, but it was certainly worrying to find it.

wordpress author slug security issue

Never Use Admin as Your WordPress Username

One of the first steps you can take to make your website more secure is to never use “admin” as your WordPress username.

“Admin” is used by WordPress as the default username to create a user account and hence hackers always try this first with a gazillion combination of passwords to try to hack into your website.

Another tip is to never use your first name or last name as your username or any word straight out of a dictionary even if you add a few numbers at the end.

Try to keep your username pretty obscure, something like “ch47fkY3”.

I also recommend you use at least 8 characters with a combination of upper and lowercase and some numbers throughout.

You’re probably thinking, that’s ridiculous, why should I make my username as complex as my password, surely my username needs to be easy to remember.

I have to disagree. Your username needs to be kept secret, be obscure and unguessable. The last thing you want it to be is easy to remember.

If it’s easy to remember, it’s easy to guess.

And your username is one half of the information hackers need to take down your website.

Make Sure You Change your Nickname

In the WordPress dashboard, go to Users and click “edit” to edit the Admin user account. Here you will see the option to choose a “Nickname”.

What this setting does is it allows you to choose a name that can be publicly displayed in the byline of each post that you publish.

This is the setting where you can use your name. You’ll see that on my blog, my Nickname is “Urmil Patel”.

You then use that Nickname and set the Display name publicly as option to use that Nickname.

Remember to save the changes.

How To Check If Your Author Slug is Exposing Your Username

Let’s take a look to see if your username is exposed through your Author slug.

This is pretty simple to do. Go to your website and visit any blog post.

Find your Author byline. This is the bit of information, usually under the blog post heading, that shows who the blog post was written by and sometimes the date it was published or updated.

If you hover your mouse over your name, you’ll see that the hyperlink contains your Admin username by default.

To actually see it in action, simply click the link and check the URL in the web browsers address bar. You will see something like this:

https://yourdomainname.com/author/[username]

This essentially is exposing your username, even though the Author name you see in the Author byline in your blog posts may be set to show you name and not your username.

My WordPress Theme Doesn’t use an Author Byline Or My Author Name Isn’t A Hyperlink.

The Author byline may not visible in the WordPress theme you have chosen. This actually creates more of a problem. If you can’t see the Author byline, then you would never suspect the security vulnerability surrounding the Author slug.

That’s exactly my point, you wouldn’t even realise that you are exposing your Admin username, because your Author byline isn’t visible.

Just because you may be using a theme that hides the Author byline or if the Author name in the byline isn’t a hyperlink, you still need to check that your username isn’t being exposed.

Type the following URL into your browser:

https://yourdomainname.com/author/[username]

Replace [username] with your actually username and without the square brackets and yourdomainname.com with your actual domain name. If your Author archive page loads up, then your username is exposed.

Let’s Fix This Username Vulnerability

WordPress gives you the option to change the Nickname (with a ‘k’) of a user in the User settings of the Admin dashboard, but this only control the visual text shown in the Author byline line. The Nickname is not used to create the Author slug.

In order to change the Author slug, we need to change the Nicename (with a “c” of the user.

Unfortunately WordPress doesn’t allow us to do this directly in the dashboard.

I’m not exactly sure why they don’t allow users to easily change this setting, yet its available and used in the software.

The Nicename of the user is essentially a setting that controls the Author slug.

Basically it lets you change the [author-slug] part of this URL:
https://yourdomainname.com/author/[author-slug]

This therefore stops your username being exposed and instead allows you to choose how your name appears in the Author archive page URL.

To change the author-slug, you’ll need to install and activate a simple plugin called Edit Author Slug.

Once you’ve activated this plugin, simply go to your Users and click the ‘Edit’ link under the user you want to edit.

Now you can scroll down and you’ll see a new section called ‘Edit Author Slug’. There are a number of options that you can use as your slug, but I recommend creating a custom slug.

wordpress edit author slug

Simply click on the ‘Update User’ button and then visit your website to check the changes.

You can simply check the Author archive page URL using your actual username and it should now throw an error page.

The new URL will use the custom Author slug you just set in the Edit Author Slug plugin.

It’s as simple as that.

Set up a Redirect To Avoid Any SEO Penalties

You’ve hidden your username from all prying eyes, good job, but there’s one last thing that’s left to do.

If your website has been indexed by Google then your Author slug is in Google’s database. If you or anyone has linked to that specific URL then the fact you’ve changed the author slug means the previous URL no longer exists and will show an error page if anyone visits it.

This can lead to being penalised by Google in the search engines.

To avoid this simply set up a redirect from the old URL to the new one.

I recommended using the Redirection plugin. It’s one of my favourites.

Simply install and activate the plugin and set up a new redirect from the old author post archive URL:

https://yourdomainname.com/author/[username]

to your new author slug:

https://yourdomainname.com/author/[new-custom-author-slug]

And that’s it, you’ve just doubled the security of your WordPress website.

Now anyone attempting to hack into your website is going to need to figure out both your username and password. A hackers job just became exponentially more difficult.

I hope you’ve made the changes to your website . If not do it today. There is no point taking a risk with your online business, especially if you don’t have to.

If you get stuck or have any questions, just leave a comment below.

Leave a Reply

Your email address will not be published. Required fields are marked *