Websites that are built with WordPress are relatively often the target of hacker attacks – especially so-called brute force attacks. The attacker attempts to guess the password of a user or even an administrator through a sometimes very large number of login attempts. In most cases, these attacks are carried out automatically by bots.
There are things you can do to ward off such brute force attacks. At the top of the list of possible defenses are security plugins that register such attacks and then block the corresponding IP address or user name for a certain period of time. It is then still possible to guess the password, but it takes much longer.
Where do attackers get the usernames from?
Hackers or attackers often take advantage of the fact that the user names of a WordPress installation can be found out quite easily. All the attacker has to do is access the author page. But how does a potential hacker access the author page without knowing the login name? The answer lies in the way WordPress actually manages all pages: via the URL /?author=1, for example, you are redirected to the profile page of the main account – the name of the main user, in most cases the user with the Administrator role – and therefore all user rights.
Hide WordPress profile pages and usernames with code
The following script prevents this redirection to the author profiles:
/* hide author archive page */
add_action('template_redirect', 'my_custom_disable_author_page');
function my_custom_disable_author_page() {
global $wp_query;
if ( is_author() ) {
// Redirect to homepage, set status to 301 permenant redirect.
// Function defaults to 302 temporary redirect.
wp_redirect(get_option('home'), 301);
exit;
}
}This script must be inserted into the function.php file of the active theme or child theme – then all requests to the URL /?author=x will be redirected to the start page.
Of course, the script does not offer 100% security against brute force attacks – but should be used as a minimum measure in every WordPress installation – provided that you can do without the profile pages or author pages.
User names in the REST API
In addition to the ‘source’ listed above, there is also the REST API, which communicates user names and therefore login names to the outside world.
In principle, the REST API can of course be very helpful if you want website content to be communicated to the outside world and thus be accessible. But in my opinion, this feature becomes a bug when it comes to usernames.
To test it, simply call up the following URL: “/wp-json/wp/v2/users/1”
I use Solid Security Pro – and this vulnerability can be closed quite easily. To do this, you have to select the “Restricted Access” option at the following location:
“Solid Security Pro > Settings > Advanced > WordPress Tweaks > REST API”
Instead of the user ID, user name, user slug, etc., the following message will appear:
code: "itsec_rest_api_access_restricted"
message: "You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by Solid Security settings."
status: 401
Potential security gap closed – and Bob’ your uncle.
Show active author pages, hide inactive authors and usernames
Of course, you don’t always have to switch off, hide and deactivate everything that could potentially pose a security risk. The author archive pages can of course also be a great way of displaying all of an author’s content clearly on one page. And that’s how it was originally intended. However, in addition to active authors, there are always WordPress users who do not publish any articles and for whom the archive page is therefore empty – and therefore makes no sense. In this case, the disclosure of the user name, which is identical to the login name, represents a security risk that can be very easily eliminated with the help of Solid Security Pro.
There is another setting in SolidWP Pro that can be used to deactivate archive pages of inactive authors. This function can be found here:
“Solid Security Pro > Settings > Advanced > WordPress Tweaks > Users > ”
Disable all author pages with one plugin
Last but not least, the hammer method should be mentioned: with the free Disable Author Archives plugin, you can quickly and easily “disable” all author pages.A 404 error is then displayed instead of the archive page