WordPress Logins Exposed

You’re Giving Out Your WordPress Username! (and you don’t even know it)

When evil-doers know your username, you’re half way to hacksville!

How can someone figure out your username?  Check it out…

  1. Go to your blog page.
  2. Click on the author name of an article listed. If your theme doesn’t show the author name on the main page, go into the specific article and then click the author name, usually found underneath the article title.
  3. Now look at what the web address says in your browser.  Do you see something like: yourdomain.com/author/yourusername

Yeah, that’s how easy it is for anyone to find your username.

So what? Just make your password harder, right?  Well, yes I’m an advocate of ridiculously difficult passwords that you can’t memorize.  But people tend to only worry about the password and not the login. Figuring out the login should be difficult too!

A Bit About WordPress Passwords First

Now generally hackers have programs called robots that go to your login page and try the usual suspects of easy (and horribly unsecure) passwords.

In my experience these are the top 7 worst WordPress passwords.

  1. administrator
  2. admin
  3. admin123
  4. user
  5. www
  6. yourdomainname (meaning you have used your actual domain name as the username)
  7. root

Those are the worst passwords specifically for WordPress, as I have found them to be the most commonly attempted by brute force attackers.  You can check out this Huffington Post article about the 25 worst passwords just in general.  They are a bit different from what WordPress hackers typically try, but nevertheless, don’t use them!


Get free information about awesome plugins for audio and more, keeping hackers away, getting found in Google when someone’s trying to find you, and MORE!

* indicates required

I do not share your information with anyone!

WordPress Logins

Only a few years back, it was still pretty common to use the word “administrator” as a login for all sorts of accounts, but especially for WordPress. Today it is more important than ever before to make your login unusual and difficult.

But why make it difficult if you can just dial it up as described above?

Because, my friends, you can hide that information from the hackers! What??  Yes, you can be one step ahead of the hacker-bots (my own term) by hiding your username.

But what is this magic I speak of? Well it’s a wonderful plugin called Edit Author Slug. It’s a sweet, simple plugin that allows you to change the username that shows in the web address when the author name is clicked. It also lets you change where it says “author” in that web address to anything you want it to be. Double whammy!

So now:
can become:
(or maybe something more dignified).

Download and Setup

You can download the plugin while logged into your WordPress admin area.

  • Mouse over the “Plugins” menu item on the left and in the pop-up menu, select “Add New.”
  • In the search box in the upper right of the screen, type: edit author slug. It should be the first item to appear in the list. Click “Install Now.” Be sure to click “Activate” after it’s installed.
  • Mouse over the “Settings” menu item on the left and in the pop-up menu, select “Edit Author Slug.”

I’m going to assume you are the only author of your blog for the rest of the setup.

  • The only thing you need to worry about on this page is changing the “Author Base.” This is what will change the actual word “author” in that web address to “fluffy” (as per our example).
    Edit Author Slug Screen Shot
  • Save your changes.
  • Mouse over the “Users” menu item on the left and in the pop-up menu, select “All Users.” Click on your username. If you are the only user, you could also just select “Your Profile” in the pop-up menu and go directly to your profile page.

“Edit Author Slug” has added a new section to this page at the bottom, but let’s make sure other ducks are in a row first.

The second section on the User Profile page is titled “Name.”  By default, the username and nickname will be filled in for you – both will show your username, but it’s a good idea to set it up just how you want it. This will give you name options to show by your articles.

WordPress Username Image

  • The username is set in granite. You cannot change it. Okay there is a workaround but we’ll leave that for another time. But for now, you’ll notice you cannot edit that field.
  • Go ahead and enter your First and Last names in their respective fields.
  • For the Nickname, you can enter anything you want, but best practice would be to enter your First and Last name. You may choose to have this as your display name. Putting something other than your username would definitely be best.
  • “Display Name Publicly As” offers you a drop down menu of options. It pulls the information from the fields above: username, first name, last name, first last, last first, nickname. I use my first and last names.
  • Now scroll down until the second to last section of the page called “Edit Author Slug.” Notice that there are now options for all you entered above. Whatever you pick here is what will show in that web address when someone clicks on the author name of an article. Make your selection.
  • Be sure to click “Update Profile” at the bottom of the page!

I want to summarize what is showing where.

  • Display name publicly as: Shows with every article
  • Author slug: Shows in the web address if someone clicks the link to your Display Name.
  • Author base: (from the “Edit Author Slug” setup page) Shows a word other than the default “author” in the web address.

So again, we went from:

Definitely consider doing this for your blog. Any security measure you can take is well worth it these days. And this is an easy one.

Was this helpful to you?  Do you have any questions about any of the info here? Please leave a comment below!

Leave a Comment

Driven by One Purpose!

We give professional voice actors an exciting and solid web presence that attracts new clients and provides a destination for them to hear your voice.

Invalid Email
Please check the captcha to verify you are not a robot.