Most WordPress users today understand that using “admin” as their administrator username is a significant security risk. This awareness has grown as cyberattacks have become more sophisticated and prevalent. Hackers routinely deploy automated attacks designed to crack WordPress credentials, and they always start with the most obvious target: the admin username.

The “admin” username was the default in older WordPress installations, making it a prime target for malicious actors. When hackers launch brute-force attacks—automated attempts to guess login credentials through thousands or millions of combinations—”admin” is inevitably the first username they try. If your site still uses this default username, you’re essentially giving attackers half the puzzle solved before they even begin.

The Hidden Vulnerability: Author URLs Expose Your Username

While many website owners have moved away from using “admin” as their username, choosing something more obscure like “side5red1968” or “jsmith2024,” there’s a lesser-known security flaw that can completely undermine these efforts. This vulnerability affects anyone who publishes blog content using their administrator account.

When you use your admin account to publish blog posts, WordPress automatically creates an author profile for you. This profile includes a publicly accessible URL that follows a standard format: yourwebsite.com.au/author/your-username. This means that even if you’ve chosen a complex, random username that would be virtually impossible to guess, it’s displayed in plain sight on your website for anyone to see.

Consider the implications: a hacker no longer needs to guess your username through brute-force attacks. They can simply navigate to any blog post on your site, click on the author name, and immediately see your admin username in the URL. They’re now halfway to gaining unauthorized access to your site, needing only to crack your password.

Why This Matters for Your Website Security

This vulnerability transforms your security approach from “something hackers need to guess” to “something publicly displayed on your website.” It eliminates one of the two barriers protecting your site—your username—leaving only your password standing between hackers and full administrative access.

The risk is particularly acute because many website owners don’t realise this information is being exposed. They’ve taken the time to choose a secure username, believing they’ve addressed this security concern, without realising their blogging activity is broadcasting that same username to the world. And cleaning up a hacked website is usually not a simple task.

Solution 1: Create Separate Author Accounts

One effective approach is to establish separate author accounts specifically for publishing blog content. This strategy maintains a clear separation between your administrative functions and your public-facing content creation.

How This Works

By creating a dedicated author account with a different username, you ensure that even if that username is visible in author URLs, it won’t provide access to your site’s critical administrative functions. These author accounts should have limited permissions—typically the “Author” or “Editor” role rather than “Administrator”—restricting what a hacker could access even if they compromised that account.

The Drawbacks

While this approach is security-sound, it comes with practical challenges. Managing multiple login credentials can be inconvenient, especially if you frequently switch between administrative tasks and content creation. You’ll need to log out and log back in whenever you transition between these activities.

Additionally, if you’ve already published numerous blog posts using your admin account, those posts will continue to display your admin username in their author URLs. Reassigning all existing posts to a new author account can be time-consuming, particularly for sites with extensive content libraries.

Solution 2: Disguise Your Author URL Slug

A more elegant solution involves changing how your author URL is displayed without creating additional accounts or reassigning existing content. This approach allows you to continue using your admin account for blogging while hiding your actual username from public view.

Using the Edit Author Slug Plugin

The “Edit Author Slug” plugin provides a straightforward way to customize your author URL. Instead of displaying your actual admin username in the author URL, you can replace it with any alternative text you choose.

For example, if your admin username is “side5red1968,” you could set your author slug to display as “john-smith,” “staff-writer,” or any other name you prefer. Your author URL would then appear as yourwebsite.com.au/author/john-smith while you continue logging in with your actual admin username “side5red1968.”

The Benefits

This solution offers several advantages. You maintain a single login credential, eliminating the hassle of managing multiple accounts. All your existing blog posts automatically reflect the new author slug without requiring manual reassignment. Most importantly, your actual admin username remains hidden from public view, restoring the security benefit of having an obscure username.

Best Practices for WordPress Security

Regardless of which solution you choose, protecting your author URLs is just one component of a comprehensive WordPress security strategy. Consider implementing these additional measures:

• Use strong, unique passwords: Combine uppercase and lowercase letters, numbers, and special characters in a lengthy password that doesn’t appear in any data breach databases.
• Enable two-factor authentication: This adds an additional verification step beyond username and password, significantly reducing the risk of unauthorized access.
• Limit login attempts: Install plugins that restrict the number of failed login attempts, effectively neutralizing brute-force attacks.
• Keep WordPress updated: Regularly update your WordPress core, themes, and plugins to patch security vulnerabilities.
• Use security plugins: Comprehensive security plugins can provide firewalls, malware scanning, and other protective measures.

Conclusion

The visibility of your admin username through author URLs represents a significant but often overlooked security vulnerability in WordPress sites. Whether you choose to create separate author accounts or use a plugin to disguise your author slug, addressing this issue is a crucial step in protecting your website from unauthorized access.

Take a moment today to check your own site. Navigate to one of your blog posts and click on the author name. If you see your admin username displayed in the URL, you now know you have a security gap that needs addressing. Implementing either of the solutions outlined above will significantly strengthen your site’s defenses and provide greater peace of mind.