Everybody knows that passwords are the keys to your web addresses and must be protected to keep your blogsite safe.
But what about the username? How safe should it be from the detection of hackers?
When you think about the WordPress username being one half of the equation to “popping” a WordPress site, 50% is a dammed high ratio of error. Why give away half your login?
No amount of automated password guessing is going to help hackers break in without knowledge of the username.
How hackers find your username
Discovering your username is easy. All anyone has to do is navigate to your post, click on your author name and look at the URL to see it in all its glory.
In this case, “friday13” is the username. With that information, a hacker can use a password tool to spin through a million letter and number combinations to detect your password.
Once they hit on your password, they’re in!
Back in olden times, WordPress.org automatically assigned “admin” as your username. Hackers knew this and countless sites were broken into using the “admin” username. Users used to have to create a new administrator account and delete the admin account to get rid of it.
That practice ended some time ago, so now users have the option of picking a good username from the get-go.
How to Protect your WordPress username from the bad guys
Pick an obscure username
When you first install WordPress in a hosting account, you are asked to create an Administrator Username.
Choose one carefully.
Never create usernames that:
- are in any way related to the name or topic of your blogsite
- includes your own name
- consists of your email address
Always create usernames that:
- are unrelated to the site’s content
- are obscure, obtuse, portmanteau, gibberish
If you can’t think of a tough username, try using a username generator.
Create a Nickname in User Profile
As soon as you set up your blogsite, be sure to fill out the fields in your User Profile.
- Your first name
- Your last name
- A nickname (not username-related)
WordPress autofills your Nickname with your Username, so change that pronto.
Use the dropdown menu to choose a combination of your name or your nickname. What you choose will appear on your blog posts.
That way, your username will not appear in the blog post.
Blog as Editor instead of Administrator
Your site requires an Administrator who has access to all features of the site and receives email from readers and hosts.
But even if you’re a solo operation, you don’t need to blog as the Administrator. You can create a user account in the role of Editor and use that to post on your blog.
So, if a hacker discovers that username and password, they will only have access as an Editor.
Use a security plugin
Some security plugins offer features to change how authors are presented on the site. I recommend All-In-One Security, which allows you to set all Author queries to redirect to another page or to block it entirely.
Change User Nicename in your database
Here’s the method I like best, but it requires some comfort with navigating through your server.
Go to your web host and log in. Navigate to Databases and click on phpMyAdmin. Find your WordPress database – often labeled “wp_” – and expand it. Click on the table, “wp_users.”
Find the username you want to change the nicename for and click Edit. Under “user_nicename” go to Value and change that.
What you change your user_nicename to depends on you, but like the Nickname, I believe a good taunt is in order. My Nicename for this site is “fuckoffhackers.”
Monitor your username
By using security plugins that send alerts on brute force attacks, you can monitor the usernames that evildoers are targeting in their attempts to break in.
Usually, you’ll see the obvious: admin, name of your site, your name, words found on your site, etc. But, when you see your actual username in a brute force attack alert, you know it’s time to change it with the create new account/delete old account method.
I admit to getting a certain amount of satisfaction when an alert says:
They can use that name all day and they won’t hack my site.
Keep your username safe
Whichever method you choose, just make sure your WordPress username is not exposed to the world.
Got any tips for keeping usernames and passwords safe? Please leave them in the comments below.
Shameless Promotional Section
Secure Your WordPress Website: How to Protect Yourself from Hackers, Spammers, Scrappers, and Imbeciles
A field guide to stopping evildoers from breaking into your website, stealing data, and injecting malware.
Plus, what to do after a hack!