You’ve taken all the security precautions to hide your WordPress login and admin screens from hackers. You’ve also changed your default usernames and removed them from your theme. You still think that you are fine! Now, there’s no way a hacker can find your login usernames. Well think twice! You are wrong! Find below 2 methods that hackers can use to find your WordPress’ usernames just with a simple scan!
- Using /?author=1 Query Parameter
- Fix: Adding a Code Snippet to WordPress
- Using WordPress JSON REST Endpoint:/wp-json/wp/v2/users/1
- Fix: Disable via Code
1: Using /?author=1 Query Parameter: To fix this you will have to access your WordPress dashboard – Appearance – Theme Editor. On your right panel look for the functions.php.
Save. Refresh and test again.
http://YOURSITE.COM/?author=1
//START author paramenter//
function redirect_to_home_if_author_parameter() {
$is_author_set = get_query_var( 'author', '' );
if ( $is_author_set != '' && !is_admin()) {
wp_redirect( home_url(), 301 );
exit;
}
}
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );
//END author paramenter//
2: Using WordPress JSON REST Endpoint:/wp-json/wp/v2/users/1: To fix this you will have to do the same steps as before and add the following snippet of code at the end of the file. Save. Refresh and test again.
http://YOURSITE.COM/wp-json/wp/v2/users/1
//START REMOVE JSON PARAMETER//
function disable_rest_endpoints ( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
}
return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_rest_endpoints');
//END REMOVE JSON PARAMETER//
Done! If you have any questions please don’t hesitate to reach out!
