WordPress Username Hack – Stop Hackers Finding Out Your Username By Brute Force

WordPress Username Hack – Stop Hackers Finding Out Your Username By Brute Force

Grab Your Free 17-Point WordPress Pre-Launch PDF Checklist:
Download our exclusive 10-Point WP Hardening Checklist:

WordPress Username Hack – Stop Hackers Finding Out Your Username By Brute Force

Ever since WordPress 3.0 webmasters have had the ability to choose their own usernames when installing WordPress, which helps in reducing the number of successful brute force login attacks.

What is a brute force login attack? It is when a hacker tries to guess your username and password using automated software.

Before WordPress 3.0 every website had an “admin” user account and hackers knew that. This means that they only had to guess the password to the admin account. It’s much easier to guess just the password rather than the username and the password.

That’s why in WordPress 3.0 the WordPress development team did away with the automatic “admin” username. However, unless you’re careful, hackers can still find your username without much effort and then only have to guess your password. Then the WordPress username hacked.

In this video I show you how to disguise your public username so that hackers have to guess both your username and password to brute force your site.

You see, on most WordPress sites, the username is visible on the website when you know where to look. If you have a blog on your site your theme may also include an “author box” where it shows who wrote the article. By default the name of the author in the author box is the username, so let’s change that.

Login into your WordPress dashboard and click on Users in the left hand menu. That will bring up the list of all users on the site. Hover over the one that you use for publishing articles to your blog and click on the Edit link that appears.

On the next page you will be able to edit the profile of that user, when you scroll down a little bit you will see three important fields: First Name, Last Name and Nickname.

Fill those three fields out with whatever you like. Once you’ve filled them out you’ll notice a dropdown right below the Nickname field. This is the “Display name publicly as” drop down box.

The options in the drop down are a combination of the First Name, Last Name and Nickname you entered. These update instantly using AJAX. Choose one that is unlike your user name and then scroll down to the bottom of the page and click Update User.

Now all the author boxes on the website will be updated to display the name you selected from the dropdown instead of the username. This will make a brute force attack hacker’s life a lot more difficult and reduce the likelihood of a WordPress site hacked.

I hope this information helps you! If you have any questions leave a comment below or ping me @WPLearningLab on Twitter.


If you want more excellent WordPress information check out our website where we post WordPress tutorials daily.

Connect with us:

WP Learning Lab Channel:



Google Plus:



12 Replies to “WordPress Username Hack – Stop Hackers Finding Out Your Username By Brute Force”

  1. The title for the video is kinda misleading … i was looking for video’s on how to hack a WordPress website, not how to change the the display name in the site …

  2. What a great video! I immediately changed my username and then created a fictitious author name. Great advice, thank you!

  3. Thanks. I did this as said in the video, but my author name is still the same as my username in the url.

  4. Could you please tell me how a hacker found my username when there is NO “bio box” at the end of my posts? In fact, there is absolutely ZERO information at the bottom of my posts. All that’s there are social media buttons, an ad, then a comments box. Yet imagine my shock when my activity log sent me five alerts that “someone with the username of (MY username) was permanently locked out…” (Because they had the wrong PW, of course). And in each of the five alerts, it showed the user from five different countries. My username is a long incoherent mix of letters and numbers, so it’s impossible to figure it out based on my site’s information or niche. I immediately changed the username to another long incoherent jumble. What’s to stop this from happening again if there ALREADY is NO bio box?

  5. And while I’m at it, why are so many people trying to hack WP sites? It’s not like these are secret bank accounts that they can then drain. What do hackers try to gain by this? I can understand trying to hack a PayPal account, but a BLOG???

  6. OK, I just created a “Contributor” username while logged in under my “real” username. But now I’m stuck. When it’s time to make a post, how do I instruct WordPress to post it under my “Contributor” username, when I’m already logged in with my real username? I don’t see a function in the edit to change who makes the post. Thanks again for your help!

  7. Hi Bjorn, I still haven’t heard from you, per your msg. two days ago below. Did you send me something? Maybe it didn’t go through? There’s nothing in my spam folder though.

  8. PSA: I am writing this so that people are not provided a false sense of security. Changing the publicly displayed name does not necessarily prevent hackers from obtaining usernames out of the source code of any post or page either manually or with a scraper program. Unfortunately, there is no simple solution. Developers should implement best practices to secure their website and explore strategies that best fit their website’s situation.

  9. Hello,

    So I tried to log in today at mywebsitename(dotcom)/admin

    my password didn’t work and my new username was: “hacked”

    I reset my password and I can log in. Everything looks normal but under my username, it still says: “Username: Hacked”

    Do you think my entire website is compromised now and forever?
    Do you have any ideas or advice for what I might do?
    I just changed my password but I assume it is too late…

    Thanks man

    Thanks for the great videos, they have helped me many times!

  10. It doesn’t make a hackers life very hard because they use different methods to get your username

Comments are closed.