I received an alarming DM from one of my e-buddies, Darren of Small Biz Geek.
This is what it said…
Now, I will say this…
I know not to ever use “admin” for my username, and I’m aware of the nickname issue.
What’s the nickname issue, you ask?
Always change your admin nickname to something else, otherwise the name shown with your comments will be your username.
Go into Users from your dashboard, and edit your Admin user account. Make sure you change your nickname to something other than your username.
But I had already done that, so I wasn’t aware of any other username vulnerabilities.
Well there’s another one, and it’s a biggy!
The Byline Might Be Exposing Your Username
Darren figured out my login username for my new site, and he didn’t have to hack the database or go to great lengths to figure it out.
All he did was hover over a link in my author byline.
You might have the same vulnerability on your WordPress site, and there’s a very easy fix.
If you have “By [Name]” in your byline that usually shows up underneath your WordPress title, you might be exposing your admin username.
So I wouldn’t risk exposing anyone’s site that was vulnerable, the byline in the above example is not even hyperlinked, but I just wanted to show an example of what it would look like since I ended up removing my byline altogether.
Hover over that name in your byline. (Not all themes show the byline.)
You will notice it goes to http://yoursite.com/author/%5Bname%5D
Whatever you see in the [name] is your login username.
How crazy is it that WordPress has not addressed this yet???? As if WordPress is not vulnerable enough!
And since most of us post using our Admin accounts, this is dangerous. You are basically telling the hackers of the world what your WordPress admin login username is.
So all they have to do is run their script to figure out your password. And if it’s super simple then it’s not hard for them to crack into your account.
For the record, hackers easily crack some passwords by running scripts that attempt to figure them out. They typically start alphabetically and go down the list.
a… aa… aaa… aaab… aaabbb and then they had numbers to the end.
Sounds tedious, right? But here’s the deal…
This is happening at a rate of million of attempts per second because it’s a script, so they can go through the millions of combinations VERY quickly.
It’s not like John (or Jane) is sitting at your login screen manually entering each option. This process is totally automated!
Many WP blogs get hacked because they use “admin” as the username and then a super simple password. That’s why you should always use lowercase, numbers, uppercase and symbols.
If you’re using a password like happy123, then you’re begging to get hacked — especially if your username is exposed in the byline.
For the record, words that can be found in the dictionary are a big no-no — even if you add numbers at the end.
How to Hide Your Username In The Byline
This may seem intimidating at first, but it’s super easy and should only take you about 3-5 minutes.
Darren created a video that explains all this and shows you how to fix the problem. There are also text instructions below.
I would highly recommend you backup your database before making any changes. Pleeeeease!
If you prefer text instructions, here ya go…
1. Login to your cpanel or hosting account control panel.
2. Go to PHPMyAdmin or whatever database software your host uses. It might just say “Databases.”
Your interface may also look slightly different. I’m on dedicated hosting, and my cpanel just got upgraded. The point is to find phpMyAdmin or your database icon.
You will see your WordPress database name(s) and any other databases you have setup. It should look similar to the image below.
3. Click the name of your database (or the plus sign next to it), and it will expand a list of all the tables inside that database.
4. Look for a table called wp_users (or something similar) and click it. This is where all your blog’s users are stored.
This will bring up a table of all the users in your WordPress database.
5. Find your username for your admin account and click Edit.
You should see a field called user_nicename and it will be the same as your login.
This is the culprit and what you should change IMMEDIATELY! Change it to “webmaster” or anything other than your login username.
6. Click “Go” or “Save” and that should be it.
Now if you use the byline on your posts, your username will no longer be displayed in the hyperlink.
It will show the name you just changed it to, which is OK because it’s not tied to any of your login details.
What Is The Purpose of The User_Nicename Field?
In case you’re worried about breaking something with this change, here’s some reassurance.
The user_nicename field was only created to simplify the URL of the author archives.
It’s a slug to make the author post archive link appear “nicer”, hence the name.
So if your username is something funky with symbols and hyphens, then the user_nicename will simplify the author post archive link (URL).
If you change the user_nicename, you are changing the URL of the author’s archives.
The good news is WordPress will automatically make this change dynamically so you won’t have broken links in your bylines.
But if you happen to manually link to all your author posts somewhere else on your site (rare), then you will have to change those links to the new one.
There really is no need for a byline when you have a single-author blog anyway. If you use Genesis themes like me, you can easily get rid of it by installing The Simple Edits plugin.
What If Your Theme Doesn’t Have a Byline?
This is pretty common today. A byline might not be coded into your particular theme.
However, even if the byline is not displayed, the author URL still exists because it’s part of WordPress’ dynamic code.
So you can still go to http://yoursite.com/author/%5Badmin_username%5D. But if your theme doesn’t link to your author archives, then it would be nearly impossible to find.
Nevertheless, it still exists if you go to it manually. So I’ll leave that up to you to decide if you are going to change it or not.
I can’t believe I’ve used WordPress all these years and have never come across this info!
Look-a-here, ladies and gents! All WordPress users need to know about this. Please spread the word by tweeting the link below, especially if you have a website that targets bloggers.
[clickToTweet tweet=”WordPress is exposing your admin username! Here’s how to fix it!” quote=”WordPress is exposing your admin username! Here’s how to fix it.”]