Username enumeration is a technique where an attacker discovers valid login usernames by observing publicly available information. In WordPress, the most common source is the author archive URL. Edit Author Slug closes this specific gap.
How WordPress Exposes Usernames by Default
WordPress uses the login username in two publicly accessible places by default:
- Author archive URLs — yoursite.com/author/john if the login username is “john”.
- REST API — yoursite.com/wp-json/wp/v2/users returns a list of registered users including their usernames if not blocked.
An attacker who knows a valid username needs only to guess the password to gain access. Brute force attacks become more effective when half the credential is already known.
The Author URL Problem
WordPress creates an author archive page at /author/login-username/ by default. If you publish posts and link to the author, the username appears in every post’s author link. Anyone browsing the site can see the username. This is not a serious vulnerability on its own, but combined with no login attempt limits and a weak password, it makes brute force attacks more likely to succeed.
Fixing Author URLs with Edit Author Slug
Install Edit Author Slug. Go to Users, then your Profile, and scroll to the Author Slug section. Change the slug to anything other than your login username. A display name, a pseudonym, or a random string — anything that does not match the login credential.
After saving, visit Settings, then Permalinks and click Save Changes to flush the rewrite rules. The author archive is now accessible at the new slug, and the login username is no longer in the public URL.
Blocking the REST API User Enumeration
Edit Author Slug does not address the REST API exposure. To block user enumeration through the REST API, add this to your child theme functions.php:
add_filter( 'rest_endpoints', function( $endpoints ) {
if ( ! is_user_logged_in() ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P[d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P[d]+)'] );
}
}
return $endpoints;
} ); This removes the users endpoint from the REST API for unauthenticated requests. Authenticated requests (from logged-in admin users) still work normally.
Changing Login Username for Existing Accounts
WordPress does not allow changing login usernames through the admin UI. To change a login username, you need to edit the database directly in phpMyAdmin or use a plugin like Username Changer. Go to the wp_users table, find the user, and update the user_login field. This is an infrequent operation on production sites — change the author slug first, and only change the login username itself if the existing username is a major security concern.
Combining With Login Security Measures
Hiding the username from public URLs is one layer. Complete login security also includes: strong passwords (use a password manager), two-factor authentication (via a plugin like WP 2FA or Google Authenticator), and limiting login attempts (via Limit Login Attempts Reloaded or your security plugin). These layers together make brute force attacks impractical even if a username is known.
For a full WordPress security audit and hardening setup, a WordPress security developer can review your configuration and implement a comprehensive security baseline.