Change User Nicename In Wordpress - Security - Tutorial
|

Website Security: How to Change The User Nicename in WordPress

ByLiz Mackie

WordPress security is multi-faceted, and involves implementing a range of best practices to minimise the likelihood of it being hacked. Each small action you take aims to increase the security. Although one small change on its own might not protect your site in itself, every thing adds up and increases the overall security. Also, if it is easy to do something that benefits your site, then why not do it?

Although you can’t prevent every type of attack, simple things will often deter hackers. It is better to make it as hard as possible for someone to exploit your website.

This security tutorial is about obscuring your user nicename. When WordPress is initially installed, it doesn’t automatically hide your user nicename. There is also no option to easily change it within the admin dashboard.

So why would you want to hide it? When you create your username and password, the user nicename is created from it. Although you can update the display name in the admin dashboard, hackers can just check the author archive to get it. You’ve now just given potential hackers one half of the login requirements for your site! If you haven’t used a strong password, this has the ability to create a huge security issue.

Getting familiar with the Users table

To help understand what’s involved when creating a user in WordPress, it’s good to know what is happening within the database. When a user is added, the following fields are created:

  • ID
  • user_login (what’s often referred to as the username)
  • user_pass (the password used for logging in)
  • user_nicename (the slug when looking at author details)
  • user_email
  • user_url
  • user_registered (the date the user was created)
  • user_activation_key
  • user_status
  • display_name

For this example, we have a user with the login “RLS_Admin” to demonstrate.

As mentioned, when you initially install WordPress on your hosting, the user login becomes the display name and user nicename, or sometimes referred to as the slug.

The below screenshot shows which table within the database to refer to, plus highlights the three main fields we are looking at for this tutorial.

Change user nicename in WordPress - Initial user details after install

Next, the below screenshot of a blog post gives an example of what is normally shown after a new install without changes. The display name and the nicename reflects the user login details.

Change user nicename in WordPress - Initial user display and slug front end

It’s typical advice for beginners to WordPress to go and change the display name within the Users dashboard area.

This is done by adding an appropriate nickname and then selecting it from the “display name publicly as” drop down box, as shown below.

Change user nicename in WordPress - Admin user dashboard

As mentioned, this changes the display name shown on things like blog posts. But if you hover over it, you can see below the linked url still displays the original user login as the nicename.

Change user nicename in WordPress - Changing public display name

When you make changes in the user dashboard area, it updates the users table in the database. You can see below which fields are updated after adding a nickname and then selecting it to make it the display name.

Change user nicename in WordPress - Updating display name

Although you can update the display name and password within the WordPress dashboard, you cannot update the nicename.

To make this update, it requires accessing the database and updating the information within the associated users table.

To update the user nicename, click on the edit link beside the relevant user to open up the edit screen, which will look like the below screenshot.

You can then change the nicename field to something different. We often choose something similar to the Display Name or Business Name when updating the nicename, as shown.

Change user nicename in WordPress - Editing user table in database

Once you hit save in the database, you can then refresh your website page and you will see that the author slug has now updated when you hover over the display name.

Change user nicename in WordPress - Updated user slug

Once this has been done, we recommend adding the user nicename and other similar variations (e.g. with and without hyphens) to your security plugin so that anyone attempting to login using the nicename are automatically blocked.

Modify .htaccess to redirect author search query

If that wasn’t enough, there are other ways someone can potentially find out usernames is via the author search parameter. If you append  “/?author=1” to the domain url, as shown below, it will reveal the author username.

Change user nicename in WordPress - Author search parameter query

To fix this, the below code can be added to the .htaccess file after the #END WordPress code block.

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

These rules check to see that you’re not in the admin area, and whether or not someone is attempting to access the “author” query parameter. If the conditions are met, the server knows to simply redirect them back to the homepage.

Disabling WordPress JSON REST Endpoints

For those who are a little more advanced and know their way around WordPress, the user details can be accessed via the REST API. If you go to “https://[yoursite]/wp-json/wp/v2/users/1” it will pull up the user JSON details (substitute [yoursite] for your domain name).

Depending on which security plugin you are using, this may already be disabled as part of its settings.

If for some reason the security plugin doesn’t disable the REST API query, it can be manually disabled, but requires a code snippet to be added to the functions.php file (preferably within your child theme).

function disable_rest_endpoints ( $endpoints ) {
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    }
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[d]+)'] );
    }
    return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_rest_endpoints');

Once it has been disabled, the below message will be returned if someone tries searching using the JSON query.

Change user nicename in WordPress - JSON REST endpoints

Two factor authentication

Although not related directly to changing your user nicename, another thing to consider to improve your website security is implementing two factor authentication. So what is 2FA?

When you log in with just a password, this is what is considered one factor (or one-step) authentication, as it relies only on something “you know”.

Two factor (or two-step) authentication requires you to prove your identity using two factors instead of just the one. Although you still rely on using a password which you know to log in, it then also requires the use of a device to authenticate with something “you have”.

Summing Up

Implementing these changes to your website doesn’t mean you will never get hacked. Realistically if someone has the skills and is determined to find your username, or some other way to break into your site, they could potentially still find a way.

However, simple actions like hiding user information will deter the majority, so don’t make it easy for them! By making it more difficult to guess, it will not only help protect your site, it will also help reduce the overall brute force attempts on your site and lessen the load on your server.

Similar Posts