Secure Your WordPress: Disable Get Author Name Vulnerability

Did you know that a hacker can find your WordPress admin name, just by typing “www.yourwebsite.com/?author=1”. Apart from the fact that you should use a very secure password for your admin, it would be best to completely hide your admin userid for security reasons. Here is how:

Add this to your .htaccess file and replace the “www.yourwebsite.com” with your domain.

# Stop wordpress username enumeration vulnerability
RewriteCond %{REQUEST_URI}  ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://www.yourwebsite.com/? [L,R=301]

With the above, the “www.yourwebsite.com/?author=”number” will show a 403 (forbidden).

Just be sure that you already REdirect all your traffic to your “yourwebsite.com” domain to “www.yourwebsite.com”. If you don’t, the “yourwebsite.com/?author=”number” will reveal your admin or other users.

If you don’t know how, here is the complete modification for your .htaccess:

#
RewriteCond %{HTTP_HOST} ^yourwebsite\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.yourwebsite\.com$
RewriteRule ^/?$ "http\:\/\/www\.yourwebsite\.com\/" [R=301,L]
#
# Stop wordpress username enumeration vulnerability
RewriteCond %{REQUEST_URI}  ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://www.yourwebsite.com/? [L,R=301]
#

 


You can also discuss this topic in our Forums.

One thought on “Secure Your WordPress: Disable Get Author Name Vulnerability”

  1. Johannes de Sacrobosco says:

    Actually this is not needed anymore. You can skip this and use the WordPress Shield plugin for all the security needs. The Shield plugin includes the author WP admin name phishing.

    The Most Comprehensive and Highest-Rated Security System for WordPress (formerly the WordPress Simple Firewall).

    https://wordpress.org/plugins/wp-simple-firewall/

Leave a Reply

Your email address will not be published. Required fields are marked *