Stop WordPress hackers getting your username

I just came across a major security flaw in standard WordPress installations: at the moment, hackers can easily get hold of the usernames on a WP site just by typing this sort of URL: yourdomain.com/?author=1. By changing the last digit, they can then build up a list of the usernames of any authors who have posted on your website, and start having a go at guessing their passwords.

Even if you have taken the precaution of hiding author’s names from the frontend, or using nicknames, the above trick wil bypass that and show the author’s username at the end of¬†the URL.

I was flabbergasted at this discovery and can’t believe that this major security loophole hasn’t yet been addressed, especialy since the solution is SO SIMPLE: you just need to add the following lines to your .htaccess file:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

This stops the URL trick from working.

Thanks for Tosho at StackExchange for the solution:

http://wordpress.stackexchange.com/questions/46469/can-i-prevent-enumeration-of-usernames

Of course you still need to hide author’s names in your template, or get all authors to use nicknames for posting.

As a final precaution, always install a solid security plugin like BulletProof Security.

Bye bye hackers!

Posted on Thursday, September 1st, 2016.