WordPress Optimized!

More than just another WordPress site

Menu
Skip to content
  • Home
    • Privacy
    • Disclaimer
  • Index
  • Plugin
  • Errors
  • Troubleshooting
  • Security
  • Code Snippet
  • Performance
  • 2BearStudio
  • Posted on November 24, 2015November 27, 2015
  • by Jerry Wang

Batch rename WordPress user_nicename

If you know WordPress database inside and out, the user_nicename shouldn’t be strange to you. It is such kind of thing that has been ignored and easily overlooked, but hackers are always trying to dig into and get useful information from. Of course, useful to hack your site.

(If you know exactly what this is about, and just come in for the tricks, please go directly to the bottom of the post). If you don’t know much about it yet, here is how it works for hackers.

In WordPress, username (user_login) is used for login and user_nicename is used to create author permalink. Username is chosen by user (or administrator), but user_nicename is an automatically generated, url sanitized version of user_login. Simply put, if there is no special characters in username, user_nicename is username.

Without extra protection, user_nicename can be obtained via author query. I.e., the username for login.

To login to a website, one requires username & password. When insecure easy password is used, hacker can easily test out a valid login using a real user login (abtained via author query) and a popular passwords list downloadable from the Internet. If you are interested in learning more about this, you can check my other post on this subject: WordPress security with WPScan: Username.

The bad news: user_nicename is not user changeable at WordPress admin dashboard.

“Is it that serious”? One may ask this question. Well, let’s check it out.

I use a plugin called “Limit Login Attempts” as one security measure to tighten up the security on WordPress website. It limits the user login attempts, which very effectively helps in against brute-force attack.

The plugin offers a very important piece of information, an IP lockout log. It shows you in each lockout, what usernames have been used to login from which IP.

When I started to noticed real usernames were used to login by hackers (judged from IP), I changed the user_nicename so it is different from user_login. Very predictable, usernames showed in lockout records then changed to the new user_nicenames.

Apparently, hackers are using the default setting, which is conveniently accessible on most WordPress website default installation, to obtain the legit login username as their 50% of the key to start the brute-force attack. We need to stop this.

How to check and change user_nicename

I use phpMyAdmin. For WordPress developer, this requires no further introduction.

For website with only a handful of users, the easiest way is to edit the user_nicename value in the database directly.

For website with more than handful of users, manual edit becomes tedious or even impossible. If so, here is the command I use to speed up. This command is useful when user display name is provided and different from username. For example, my username is: iamwebmaster, and the display name is “Jerry Wang”. I can then compose the user_nicename to jerry_wang instead of using my real login username.

(It is a SQL command. Know what you do, use with caution.)

UPDATE wp_users
SET user_nicename = LOWER( REPLACE( display_name, ' ' , '-') )
WHERE user_login=user_nicename

Final Thought

Security is really NOT just few tips and tricks, it is all about the right concept and good habit. As long as you follow the right security practice, have the right security measures applied on WordPress website, choose the right (strong) password as recommended. You are in a better position protecting yourself.

If you simply repeat what others tell you, no “admin” user, but don’t know why. Your site can get hacked easily even you don’t have an “admin” administrator user.

If you don’t believe, try this out:

http://yoursiteurl/?author=1

 

Batch rename WordPress user_nicename was last modified: November 27th, 2015 by Jerry Wang

Related posts:

  1. Password Protect wp-login.php
  2. Password Protect WordPress Admin Directory (wp-admin) for Enhanced Security
  3. Safe and Easy Terminal Login with SSH Config File
  4. WordPress Security Tip: Delete ReadMe after Installation
  5. Better Way to Defeat WordPress Brute Force Attack
Posted in Code Snippet, SecurityTagged Login

Post navigation

Prev WooCommerce Template Customization: Mobile Responsive Product Quantity Input Template
Next Troubleshooting: WP redirects to an old post (_wp_old_slug)

Recent Posts

  • Make Uncode theme working on your DreamHost shared hosting account
  • Remove /?doing_wp_cron from URL
  • My New iMac Setup Troubleshooting
  • How to Replace Huge Image with Optimized Version the Easy Way
  • How to disable Guternberg Editor – the new Block Editor in WordPress 5
  • How to increase Max Input Vars on DreamHost shared hosting account
  • How to Upgrade to WordPress 5.0 without losing Classic Editor
  • WordPress Security Tip – Avoid using these usernames
The Ultimate Managed Hosting Platform

Recommended WordPress Hosting

Web Hosting  Fastest WordPress Hosting

Coupon & Promotion

  • 10% saving on S2Member Pro (Single-site)
  • 10% saving on S2Member Pro (Unlimited-site)
  • Hostgator 25% off coupon: 25offhosing

WordPress Themes & Plugins

 

Tags

.htaccess 404 500 add_filter() Admin Archive Backup BackWPup Block Editor Coda Cron Custom Post Type DreamHost Email Error Guternberg Hack IfModule Login Membership Menu mobile password Performance PHP Plugin redirect Registration Responsive Revision Search Security Settings SSH Theme Troubleshooting Update WooCommerce wp- WP-CONFIG.PHP wp-login.php wp_query() wp_redirect() WP_TEMP_DIR WSOD

Recommended Plugins

  Gravity Forms Plugin for WordPress   s2Member® (WordPress Membership Plugin)

Categories

  • Code Snippet (30)
  • General (17)
  • Mobile (3)
  • Performance (9)
  • Plugin (23)
  • Security (17)
  • Troubleshooting (29)

Archives

© Copyright 2023 – WordPress Optimized!
Retina Theme by WPAisle ⋅ Powered by WordPress