Like countless other WordPress users I’ve been logging into the installation’s back-end using the admin username I created on day one.
Having read about the recently publicised botnet that uses the admin username for brute force attacks I thought it was time to beef-up my blog’s back-end security.
Quickly realising it was impossible to change the admin username from the WordPress Dashboard, I resorted to first creating a new user with an administrator role and then deleting the original admin user following the instructions in numerous articles found on the Net. Here’s one.
The majority of these articles suggested choosing some obscure administrator username to deter the determined hacker. While helpful, all failed to mention that a username that’s difficult to guess is really no more secure than one that’s as obvious as your blog’s title. Why? Well, if someone wants to find out your username they need look no further than the post author’s archive URL.
Let’s assume the username is smith with a display name of John. Every post shows the author’s name with a permalink to all posts by that author. Mousing-over that permalink displays the URL in the browser’s status bar: http://www.mysite.com/author/smith.
Voila! The username smith is conveniently displayed for the world (or the few people who visit this site) to see. Similarly, clicking the permalink shows the URL in the browser’s address bar: http://www.mysite.com/author/smith
Fortunately, masking the username in the permalink URL is straight-forward enough. User information is stored in two tables in the WordPress database: *_users and *_usersmeta. The one we’re interested in is the *_users table.
This table contains a field named user_nicename which is not editable from the WordPress Dashboard but can be changed using the MySQL administration tool phpMyAdmin or similar. If the user_nicename field is changed to say jdoe, the username remains smith, but the author’s permalink URL is now displayed as http://mysite.com/author/jdoe effectively hiding the login username smith from any visitors.