Once a hacker knows you are running WordPress, it is really easy to get a list of user-names if you haven’t protected them. Google offers a number of “search commands” known as “search operators” and as you can see in the attached screenshot, all I have to do is search for “site:wpmu.org/author/” and I get the full list of user names!!! That means the hacker now has half the equation, i.e. user name & password
Now there are 2 ways you can address this, the first of which is to block the entire author directory using robots.txt
User-Agent: *
Disallow: /author/
Trouble is, if you’re a publication, you don’t want to lose all that SEO juice… furthermore, all of your authors are wanting some exposure too right? So what’s the workaround? Simple… re-write the author slug so that it doesn’t match the author’s username. Is there a plugin for that? Yes there is! A few of them actually;
http://wordpress.org/plugins/edit-author-slug/
http://wordpress.org/plugins/wp-author-slug/
With one of these plugins, your user names will not be revealed even if the hacker finds the list of authors on your website. Some websites get really creative with the author profiles and call them, i.e. companywebsite.com/team/theboss (/team/ is the author slug and /theboss/ is the user slug but not the actual user name… instead it is the author’s nic name). Call it a “masking technique” that protects your site from divulging its user names. If you’re a publication, you may want to consider changing the author slug to “writers” or “journalists” and use the author’s full name as the user slug instead of the default which is the actual user name.
Comments are closed.