Default WordPress install leaks user login name – avoid ?author=1 attack

Did you know that you can obtain WordPress user login names with a simple parameter url?

I have only been using WordPress for the last two years, but I never realized how easy it is to find a user login name. This would seem to me to be a major security flaw and should be addressed by WordPress as soon as possible. I have yet to research this in full, and WordPress might already have a fix in store but I will have to keep an eye out to see.

The attack

The default WordPress install as of 4.3.1 does ask you for a unique name for the initial administrative user and does not allow you to use “admin” as the name. By default you are supposed to use a strong password for all accounts on the system, however there is an option to check a box to allow a weak password. I see that WordPress is trying to keep it easy for someone to use, but I am not convinced a user could not at least come up with a somewhat longer and harder to guess password. In order to login to a WordPress installation, you have to have the user name and the password. But what if you can obtain the user name with almost no effort and then attempt to do a slow brute force attack to guess the password for the account (knowing full well that there is a high possibility the user choose a weak password). Believe it or not, this is an easy hack if given enough time to run through a password dictionary (a list of commonly used passwords).

In the area where you type your website url, add the following to the end


and hit go. WordPress will display the lists of posts by the author with an id=1 in the database, but use the “nicename” which by default is the same as your user login name for that author.



Now you know the user login name to try is admin and try to figure out a password for the account.

The Fix

There are a couple ways that I know about as a simple fix to this problem. First, you can install a security plugin like or WordFence that blocks the ?author=1 hack. Second, you can edit the user table entries in the database. If you change the “nicename” for every user to not be the same as the login name, then when ?author=1 is used the /author/[nicename] will display as you have typed it. Warning, do not use special characters or spaces in a “nicename”. I have successfully used a dash between words with no problem, but I would NOT suggest using other characters (especially the question mark and ampersand).

If you would like a tutorial on how to edit the user table, let me know and I will do my best to work on the video for it.

Enjoy your WordPress install and stay safe!