Do not give away your username as a present to hackers

Posted on 2014-10-17

I've quit blogging here.

This will be removed soon.

It should go without saying that you don’t give away your login data to strangers – especially not an admin user. Thankfully WordPress allows you to choose an admin username that is not admin during installation since Version 3.0. It is absolutely necessary to do so because admin is the first username a hacker would try in a brute force hacking attempt.

Even for non admin users you never should give away your login data – not even the username. That’s half the battle for a hacker. Just imagine anybody posts something in your name during you are on vacation without internet access for a while. One single posting could destroy your hard-earned reputation.

So always choose a nickname different from your username! Unfortunately WordPress hides the nickname field during user registration and sets the nickname equal to the username. So you have to edit the user after creation and change the nickname. Make sure only the “disply name” or the nickname is shown publicly and never the username. Maybe you have to choose another Theme if your current Theme somewhere shows the username.

But that’s only the half of it! It is out of all reason that WordPress does not protect your username. It sounds strange, but WordPress betrays all usernames by automatically creating a Author Archive Page for each user.

By default the URL of the Author Archive Page is www.example.come/author/slug. The slug is a hidden field you cannot access in the user settings. When creating a new user WordPress sets the slug to a URL-friendly version of the username. So the login names from all your users are publicly visible.

The smart User Slug Hider Plugin enhances WordPress security by replacing user names in author page URLs from e.g. to a 16 digits coded string like

It is not possible to make conclusions about the hidden user name. The same username will result in different codes on different sites.

The codes are generated automatically – there are no settings and no need to change anything. Especially on sites with multiple authors this is very helpful because you don’t have to care for details. The plugin does not change the slug in your database. The URLs are created on runtime. Deactivating the Plugin restores the default WordPress behavior.

Get the free WordPress smart User Slug Hider Plugin.

View related Plugin

Share this page: