Why Showing The WordPress Username Is Not A Security Risk

When we talk about the basics of WordPress security, we always tell you to use a very strong password. The recently added password strength meter helps to facilitate the process. But what about usernames? WordPress offers a way to change your display name which acts as a username alias. However, it doesn’t hide the username since it’s used within the URL and can’t be changed. For example, https://wptavern.com/author/username is always my account, despite what my display name is.

Leaky Usernames Featured Image
photo credit: Kris Krugcc

Some argue the leaking of usernames is a security risk. Dion Hulse, a core contributor to WordPress, explained the reasoning behind leaked usernames in a trac ticket 19 months ago.

It has been stated in previous tickets, “leaking” of the username is not deemed a security issue by WordPress.org, as it’s a conscious decision to use the username as the slug in the URL. If you don’t like this default behaviour, there are plugins in the repository which allow you to change the url format to your preferred layout.

Instead of attempting to provide security by forcing people to guess your username, you should be focusing on improving passwords, and/or considering two-factor authentication (ie. Google Authenticator) if your passwords are known to be insecure and/or weak.

While not exactly the same scenario, this trac ticket from seven years ago indicates how long the consensus has been around. The username is treated as common knowledge since it’s not difficult to determine. When I asked Andrew Nacin, lead developer for WordPress 3.9, whether the information shared by Hulse is still accurate, he said, “It’s fairly similar language we use when replying to security inquiries.” He then offered similar advice, “Create a strong password. Then, instead of playing games with your username, use a two-factor authentication plugin.”

What Is Two-Factor Authentication?

Logging in with a password is considered single-step authentication. It relies only on something you know. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. In practice, however, current two-step implementations still rely on a password you know, but use your phone or another device to authenticate with something you have.

Two-Factor Authentication Using Jetpack Single Sign On and WordPress.com

Jetpack comes with a module called Single Sign On. When activated, it allows visitors to use their WordPress.com login credentials to register accounts on self-hosted WordPress sites. This is important because users of WordPress.com have the ability to turn on two-factor authentication for their account.

Two-Factor Authentication Enabled

By enabling two-factor authentication on WordPress.com, the account will be protected when used to register with any WordPress site using the single sign on module, whether or not it’s using a two-factor authentication plugin.

Alternative Two-Factor Authentication Plugins

There are plenty of alternatives to using WordPress.com and the single sign on module. A search of the plugin repository for two-factor authentication plugins shows 40 results. I asked Brennen Byrne, co-founder of Clef, what advice he has for those looking to add two-factor authentication to their site.

When deciding on a two-factor authentication plugin, you should look for one that is well maintained and frequently updated. Two-factor requires that you trust the sender of your messages, so you shouldn’t use a plugin that’s out of date or someone’s side-project.

WordPress.com VIP specifies passwords as the weakest link in the security of anything you do online. Two-factor authentication is an easy step you can take to make your logins more secure.


27 responses to “Why Showing The WordPress Username Is Not A Security Risk”

  1. I can tell you from ten years fixing hacked web sites that WordPress password related hacking is the least serious issue on the board (though it gets a lot of press for some odd reason).

    Two-factor authentication is overkill for most, and tends to give clients a false sense of security.

    The main reason why client’s are hacked has less to do with passwords and more to do with client’s not updating their plugins, themes and WordPress installations.

    I would go so far as to say that in my professional experience less than 20% of hacking situations are passwords related.

    WordPress has already “solved” the password issue IMHO by including the “Strength indicator,” and most security plugins have options to force strong passwords. When used they effectively close the username / password “hole” which was in previous years often abused.

    In short, if we all focus on educating our clients toward maintaining updates, and less focus on the latest password management meme, there will be a lot fewer hacked websites tomorrow.

    • You make a lot of great points. The reason for this article is because over the past few years, there has always been this notion that being able to determine the username in WordPress so easily is a security issue. So I wanted to help set the record straight on why usernames are so easy to determine.

    • I also deal with hacked sites, and I concur. Brute force password attacks tend to kill a server before someone actually gets in.

      The common reasons I see for being hacked:

      * Old versions of WP
      * Out of date plugins/themes
      * Inactive plugins/themes with security holes (“I’m not using it, why should I update?”)
      * Third party (non WP) code on the account
      * Virus on the computer captured passwords (this one happened to me, hush)
      * Rogue admin installed backdoor

      The last two are fairly exceptional.

      Somewhere WAY down at the end is “My WP Password was sniped.” Not that I suggest one log in to your network on a non-secure network, but knowing my username is Ipstenu? Not a secret :)

    • That’s interesting, what you and Mika say. About a year ago for a few months I was seeing the same hack on multiple sites and nearly all of them were running an old version of WordPress.

      I assume if people kept everything up to date and used strong passwords, hacked WordPress sites would be very uncommon. The tragic thing is that these two things are so easy to do.

      Maybe WordPress core should email available theme and plugin updates to the administrator a la WP Updates Notifier. Something like that in conjunction with the automatic core security updates that we have now, built-in login attempt limiting and enforcement of strong passwords could prevent a whole lot of mischief (and the reputation of WordPress).

  2. There’s tons of debate on this. New California law suggests that a weakly stored combination of Username and Password is considered insecure.

    The counter argument runs that if username was insecure, most email systems would be affected. For example, Google uses your email address (which is obviously public) as your username to connect to all their apps.

    I like the idea of using 2-factor authentication for higher security, but average users will find it to be an annoyance. It’s a balancing act.

  3. If you name your site after yourself to get more approval from the big search engine, then someone has a good guess at half your login. WP allows for the displayed name to be different from the username. I don’t know why anyone would give anything away –security-wise– that they don’t have to.

    Pick an obscure word for an original username and then display your first name or nom de keyboard to the public side. Isn’t that sorta like adding a factor in itself, or at least restoring one that you already could have without added rigamarole?

    Just yesterday I had someone try to break in using my first name, although commonly they try “admin”, which was another example of over-sanguinity about security on the part of WP.

  4. I agree. Usernames are only really susceptible to brute force attacks and these attacks rarely target usernames anyway. I run stats on multiple different blogs to see different attack vectors and they are usually centered around the “admin” username or some variety. Only rarely do I see the actual usernames on the site used in an attack.

    We take three steps to curb this kind of attack:

    1. Force strong passwords
    2. Limit Login Attempts plugin or similar
    3. Google Authenticator two-factor authentication when required

    These three make it pretty much impossible to unlock an admin account through brute force or other vectors and leaves us to focus on other more sinister ways of hacking or attacking a site.

    There is a valid question to be asked about whether limiting login attempts should be built into WordPress as a core feature, but that might be a different conversation.

    • Well said and I think it’s very much the same conversation.

      I always assumed most login forms on the Internet limited login attempts. Since WordPress doesn’t, I have to doubt that. I sure hope my bank does. I can’t think of a reason why WordPress, powering such a portion of websites, should not limit login attempts. This is a simple and effective security measure.

  5. Usernames are not passwords so it shouldn’t matter if they’re public. It’s useful and elegant to be identified by a relevant slug. You can use ‘admin’ with a memorable diceware passphrase and it’s not likely to be cracked any time in the next few decades. With a plugin like Limit Login Attempts it will never be cracked by automation.

    The main issue is education. Huge masses on the Internet are still using predictable passwords. I’m shocked at some of the passwords I see in 2014. Sometimes it seems as if zero progress has been made with educating people about password security in the last decade. That’s why core should limit login attempts and somehow enforce strong passwords.

  6. You can teach a horse about water, you can’t force the horse to drink that water. Some horses just die of dehydration.


    There was a thread on the WordPress forum that Mika answered (she didn’t create it), the user mentioned they had WordPress 3.4.1 or around that. Not updated.

    The reason your site will get hacked is due to a combination of the following:

    1) Your username. I am sure Mika’s usernames ALL OVER the internet is Ipstenu. Mine is miroslavglavic
    2) Your password, people have easy passwords due to lazyness. PASSWORD is NOT a password, your birthdate (your mother’s, father’s, child’s, spouse’s) is not a password.
    My father’s security system pin was his birth year.

    Funny thing is that when I call my phone provider, they ask me: my name, cell number, birthdate, home address (phone is registered at my home address). Those are easy to find.
    3) Theme updates – I always say use a plugin instead of hard code it. We all know when you update, those custom codes will go bye bye
    4) Plugins – I don’t know why someone will use a plugin that hasn’t been updated in a year. If plugin hasn’t been updated in 6 months…think of getting another one to replace it. I wish plugin authors would tell people that they are giving up

    5) Garbage – Turn on your user registration for a day (make sure they are only subscriberes) and I guarantee you will get 100 regs in that day.
    Themes that you don’t use. You don’t need more than one theme.
    Plugins you don’t use. Sorry Hello Dolly. If you don’t use extras. Get rid of them.

    In one of the sites I help with, it is a online publication with 377 writers.

    I have limit login plugin.
    I am soon implementing StrongPassword33 system where the writers (377) have to

    1) HaveUpperCaseanDLowERcASe33 passwords which includes numbers as well.
    2) Their passwords must be changed every 6 months (exact time hasn’t been approved yet).

    No one element is the key to keep your site safe.

  7. Year after year we are forced to use ever more complex passwords. What I don’t understand is: if you have a site, WordPress or otherwise, that doesn’t allow infinite login attempts, why isn’t even a “moderately good” password good enough? Granted using the name of your pet or a candy bar is a bad idea.

    It seems to me that passwords are at greater risk from phishing, bulk theft from an online platform, etc. And password strength doesn’t help in those circumstances.

    It’s true that WP sites do get an insane # of login attacks every day. And most of them are against the account “admin”. Those “dumb bots” are a reminder that they’ll be getting smarter and moving from “admin” to real user names soon enough. But again, if login attempts are limited, I don’t see the risk.

    I use the “Limit Login Attempts” plugin that Johan Eenfeldt was kind enough to write. And which Softaculous makes easy to add to every cPanel WP install. The default is 4 login attempts before lockout. I work with plenty of authors, and myself included, who can easily blow through that many attempts before figuring out what they’re doing wrong, so I change that to 20. When a red bar is telling you you’ve only got 1 or 2 attempts left to access your site, it’s stress that I don’t believe the WP experience needs. 20 gives the author a little more room to relax, and as long as your password isn’t as simple as an all lowercase “word” like “peanut”, the bots will still never have anywhere near enough attempts to crack it.

  8. I don’t get it. Why not take 30 seconds to make it exponentially more difficult for a determined bot to hack your site?

    Granted, if your user name is well known, then it will be assumed that it’s your login name. But that’s irrelevant. Because if your actual WordPress login name is dX5A!w3Qfr2p and your NICKNAME is Yoast, and you’ve hidden/denied access to your author archives, you’ve just increased your security significantly by adding a secure admin name.

    To not do this is like not taking a few seconds to turn your home security system on because you already have a guard dog, or because burglars don’t break in through the front door that often.

    • If your password is as complex as “dX5A!w3Qfr2p”, then it doesn’t make any difference if an attacker knows your username. It’s not adding any real security to make the username complex too.

      Security is only as good as the weakest link, and that link is invariably the person sitting behind the keyboard. You’re already asking them to remember a complex password, if you suggest that they remember a different complex username, then you lead to the sticky-post-on-the-monitor syndrome. “Pretend” security measures often lead to decreased security because of unforeseen consequences such as these.

  9. yourdomain.com/?author=1 brings up the admin username in most cases. I have seen a major increase in this attempt at brute force attacks recently. It is still rather lame to say it isn’t a problem because you can fix it with something else that needs to be added. When you have over 120,000 sites attempting to brute force into your site knowing 1/2 the key gives them an advantage that even if you block bad attempts they will still make it easier on them.

    Fortunately, there are 3 things you can do with the above knowledge without additional plugins.

    1. Change the username of the first account at the DB level to something else that uses non-standard characters.
    2. Create another “admin” level account (that isn’t called admin, again with non-standard characters)
    3. Change the first username to have no real permissions.

    Of course…
    Yes, you should use complex passwords.
    Yes, you should use a different password on each site and username.
    Yes, you should change your passwords every so often.

    However, the “security” of a standard WordPress install sucks and should still be improved.

    BTW, I am for additional plugins, however, I still believe that basic WordPress “security” can be improved at the core.

    • Brute forcing is not a security problem (unless you have a stupid password), it’s a performance problem, as your site can get taken down due to it.

      What changes do you think should be made in core? I think a minimum password strength should be enforced.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.