User Names Displayed as Author Names

Allow me to begin with an important note about your blog and CMS security.

The CMS website displays an author name of your pages or posts. By default, WordPress makes the displayed author’s name the same name as the “user-name” you use to log into WordPress. Is this good?

Some will tell you it is not a big deal, that WordPress framework will be enough security to discourage hackers, or they will say something along those lines. Is this not a big deal then? — You bet it is a big deal, because once you allow your login user name to become public, that is 50% of your security lost to hackers and spammers.

If your site shows your username as the author name, then hurry to change it. Every hacker out there will go at your WordPress login screen using that posted name as the user name to brute force a login into your WordPress Dashboard and you certainly do not want that.

…but, please read on before you change it.

To this date I wonder why this default has not been changed, but WordPress developers should make it mandatory for users to choose a display name and by default, not allow the user-name to be displayed, but hey, that is common sense.

I have several clients using WordPress sites and each website shows attempts by hackers to force their way in. There is no way around it. Even Joomla and Drupal suffer the same problems so there is no way to avoid it, but there are certainly ways to block it and make it tougher for hackers.

One of my clients who came to me for some work, already had a WordPress site. When I did a security review, I found that someone other than the website owner was trying to log into the WordPress Admin page using the owners “user-name”. To my dismay, I saw that the owner unwittingly left the defaults settings to use the “user-name” as the official display name. It would be only a matter of time for brute force attacks to find the password and the website is lost and I have seen that happen. No one is immune.

Change your “Display” name

Whether or not you know, you already had many attempts by hackers to log into your WordPress site using the displayed author’s name as a login user name. Your definitely going to have to change it, that is the best option and in my view the only one.

Why the only option?

It is because the hacker will continue to use your displayed author’s name as a login user-name in an attempt to hack your WordPress site. He has 50% of the login information. All he needs is find the password and there are many programs out there to do that, it just takes time and it seems, that is all the hackers have in their life, lots of spare time.

Ok, so how do you change the user-name?

  1. Login to your WordPress Admin Dashboard.
  2. Click “Users” in the left menu column.
  3. Locate your user name and hover your cursor over it, click “edit” under the user-name.
  4. Scroll down to the email listed, change it to anything. Example, lets say your email address listed is “john@mail.com”. Change it to anything like “mmx@mail.com” and click “Update Profile” button.
  5. Left Column, click “Add New” (under the Users menu item)
  6. Fill in the new profile, choose a different user-name that you have never used before. Do not make it close or similar to the old one.
    • Never use “admin, administrator, user, test, [your website name], [acronym for your website domain name or business name] or [your business name]
    • Use nicknames, pet names, call names (like “rider”, or “ghostman”), mixed letters, etc.
    • Include underscores, dashes, even special characters as *&^%$, etc.
    • Include a number, like “ghostman-2”.
    • be imaginative and unique,
  7. Fill in the same email address you used previously (this is why we changed it in the old profile first, WordPress does not allow the same email address used for more than one profile). You can use a different email address if you prefer, but it has to be solely your email address, active and not shared with anyone else.
  8. Here is the next important part. For the “First” name slot, choose a unique “First” name. What ever your want, it does not have to be your birth name, it can be, but generally people use some pen name they created. It can be “Mr.Wonderful”, just any name you want to show to the world, but it has to be different from the user name and not even remotely close either.
  9. Leave the last name blank, unless you want to continue the unique display name with something else, if so then fill in something.
  10. Now, fill out the rest, including the password part. Click “Show Password” and WordPress will show the current auto-generated password. Use the auto-generated one if you wish, or… create your own, but you must use this configuration : one CAPITAL letter, numbers, letters and special characters as ?><“:{})&^%$#@! (in any order). Make the password a minimum 8 characters long. (*** Write down what you chose as a password***)
  11. Check “Send the new user an email about their account“.
  12. Lastly, (important) beside the “Role“, choose from the drop-list “Administrator”. Of course, if you are the admin of the site.
  13. Click “Add New User” button.

Now, log out of WordPress and log back in with the new username and password.
(I hope you wrote down that new password?)

Once into the dashboard under the new user name do the following:

  1. Click “All Users” in the left column of the dashboard.
  2. Find the old user name, click “delete” (just under the user name). A delete window to the right shows.
  3. Go to “Attribute all content to“, click to choose that option, then in the drop list, choose the display name (first name) you created for the new user account. In my example above, that would be “Mr Wonderful”.
  4. Now click “Confirm Deletion” button.
  5. The old user name account is deleted and all content is not connected to your new official public display name that is uniquely different from the new user-name.

You have just made a 100% change on the hackers and made their life more difficult.