User Name Security : Hide User’s Login

SX User Name Security

I realized that knowing the login or username of an administrator (or another user) could help the hacker to hack your site. Warning, this is not enough to achieve this, but say that chews some of his work.

With User Name Security, the problem is solved. This plugin was born out of discussions we had at the WordCamp Paris in 2013 , we have repeatedly addressed security issues on WordPress, notably through at conferences of Julio Potier who receives me here (thank you).

User Name Security

I have therefore asked the following question: how a malicious individual can he have access to this information? The answer is very simple: WordPress shows it in clear on several places. You find it in the name that is displayed for each author, contributor, editor or administrator of the website URL in their profile or in the CSS via the body_class function.

We created the plugin User Name Security to correct these flaws, and it was subsequently improved.

The function body_class

Start with the most simple. The body_class () function is used in a number of themes to add classes to the body element of your pages. These classes can then be used to apply a style or a specific script for some pages.

The problem is that the use of this function on the author.php displays directly in the source code for both the identifier of the user, as well as its nicename (which is neither more nor unless the login). For example, a user with the login page and login TheAdmin 2, the source code of the page will display the following classes in the body:

  • author-2
  • author-TheAdmin

The simple activation plugin User Name Security automatically deletes these two classes on all author pages.

Display Name and Nickname

There was the "easy". The big concern for WordPress is its behavior when a user registers. By default, WordPress will use the login to automatically populate the display name (Display Name) and nickname (Nickname). Unless the user can make the changes manually, it is a login that will be used and displayed publicly. In other words, you give your login directly to everyone.

The plugin User Name Security manage two things:

  • during the registration of a user, a random value is given for Display Name and Nickname
  • if the user is connected, it verifies that the login is not equal to these values.
    • if the two are identical, a random value is also given.
    • if one of the two is identical to the login, it takes the value of the other.

Basically, your site should never see the light user login.

The nicename

Last step, change the nicename which is used to construct the URL of the page authors.

For the moment, the plugin does not touch the authors already created (it will be for a future version, and put in place the necessary 301's). But for all new registrations, it uses a random value to not show either login in the addresses of these pages.

To conclude

The plugin is currently translated into English and French. For example, the display name and nickname are random in this form for an English WordPress:

  • 5489113 new user (random number)
  • New user 5489113 (random number)
User Name Security - Before After

User Name Security - Before After

Simply install the plugin and enable it to work.

And the code has been checked and cleaned by SecuPress , so it is clean and safe. Anyway, download it to a little more secure your WordPress.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>