Why Showing The WordPress Username Is Not A Security Risk

When we talk about the basics of WordPress security, we always tell you to use a very strong password. The recently added password strength meter helps to facilitate the process. But what about usernames? WordPress offers a way to change your display name which acts as a username alias. However, it doesn’t hide the username since it’s used within the URL and can’t be changed. For example, https://wptavern.com/author/username is always my account, despite what my display name is.

Leaky Usernames Featured Image
photo credit: Kris Krugcc

Some argue the leaking of usernames is a security risk. Dion Hulse, a core contributor to WordPress, explained the reasoning behind leaked usernames in a trac ticket 19 months ago.

It has been stated in previous tickets, “leaking” of the username is not deemed a security issue by WordPress.org, as it’s a conscious decision to use the username as the slug in the URL. If you don’t like this default behaviour, there are plugins in the repository which allow you to change the url format to your preferred layout.

Instead of attempting to provide security by forcing people to guess your username, you should be focusing on improving passwords, and/or considering two-factor authentication (ie. Google Authenticator) if your passwords are known to be insecure and/or weak.

While not exactly the same scenario, this trac ticket from seven years ago indicates how long the consensus has been around. The username is treated as common knowledge since it’s not difficult to determine. When I asked Andrew Nacin, lead developer for WordPress 3.9, whether the information shared by Hulse is still accurate, he said, “It’s fairly similar language we use when replying to security inquiries.” He then offered similar advice, “Create a strong password. Then, instead of playing games with your username, use a two-factor authentication plugin.”

What Is Two-Factor Authentication?

Logging in with a password is considered single-step authentication. It relies only on something you know. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. In practice, however, current two-step implementations still rely on a password you know, but use your phone or another device to authenticate with something you have.

Two-Factor Authentication Using Jetpack Single Sign On and WordPress.com

Jetpack comes with a module called Single Sign On. When activated, it allows visitors to use their WordPress.com login credentials to register accounts on self-hosted WordPress sites. This is important because users of WordPress.com have the ability to turn on two-factor authentication for their account.

Two-Factor Authentication Enabled

By enabling two-factor authentication on WordPress.com, the account will be protected when used to register with any WordPress site using the single sign on module, whether or not it’s using a two-factor authentication plugin.

Alternative Two-Factor Authentication Plugins

There are plenty of alternatives to using WordPress.com and the single sign on module. A search of the plugin repository for two-factor authentication plugins shows 40 results. I asked Brennen Byrne, co-founder of Clef, what advice he has for those looking to add two-factor authentication to their site.

When deciding on a two-factor authentication plugin, you should look for one that is well maintained and frequently updated. Two-factor requires that you trust the sender of your messages, so you shouldn’t use a plugin that’s out of date or someone’s side-project.

WordPress.com VIP specifies passwords as the weakest link in the security of anything you do online. Two-factor authentication is an easy step you can take to make your logins more secure.

There are 27 comments

Comments are closed.