I have been using WordPress for a few years and I’ve grown to love it’s simple and well presented interface. What I have noticed is the volume of people trying to log into my sites by guessing usernames and then presumably trying guessed or randomly generated passwords. I’ve been logging the usernames they are using and the pattern has become very clear. So here are my Top 7 Usernames to Avoid on your WordPress site.
Of all the usernames spammers have been trying to use the following form the basis of 95% of attempts. The other 5% are made of slightly more unusual names but these may be due to confusion rather than deliberate attempts to do something naughty.
In no particular order the usernames to avoid are …
user- test
- admin
- administrator
- [user display names]
- [user “author archive” names]
- [combinations of your site name]
There are four approaches spammers will try :
- Guess based on based on common usernames (i.e. “admin”)
- Guess based on the site name (i.e “tech-spy”)
- Assume the author name that appear next to a post is a real username (i.e. “Matt”)
- Assume the name that appears in the author archive link is a real username (i.e. https://www.tech-spy.co.uk/author/matt/)
Defend Against Type 1 and 2
If you avoid usernames based on my list above you will avoid spammers simply assuming what your login names are. Easy.
Defend Against Type 3
When you create a user within WordPress you set a “username”. The user can then set a “nickname” and a “display” name to show publicly alongside posts. Spammers will assume this Public name is also the username and use that as the basis for their login attempts.
Make sure your usernames never match the nickname or public display name used by your authors. It’s easy to change! Your username could be “JohnX” but your display name could be a friendlier “John”. The spammer will then assume the username is John and get it completely wrong.
Defend Against Type 4
WordPress provides links to an “author archive” which lists all posts by a specific author. The link looks something like :
http://www.tech-spy.co.uk/author/matt/
The name used in this link is a database field called “user_nicename”. It is set to the username on creation and you can’t change it afterwards from within the Dashboard. This is really irritating and something I hope the WordPress team change at some point. User names should never be exposed within a public facing system. I changed mine by modifying the value in my “users” database table using phpMyAdmin.
Final Thoughts
Like all aspects of security no one technique is good enough on it’s own but needs to form a layered approach. Avoiding the above usernames doesn’t cost you a penny and is easy to implement. It won’t stop someone attempting to login into your account but if they are guessing the wrong username they are going to be falling at the first hurdle. Just the way we like it!