If you know WordPress database inside and out, the user_nicename shouldn’t be strange to you. It is such kind of thing that has been ignored and easily overlooked, but hackers are always trying to dig into and get useful information from. Of course, useful to hack your site.
(If you know exactly what this is about, and just come in for the tricks, please go directly to the bottom of the post). If you don’t know much about it yet, here is how it works for hackers.
In WordPress, username (user_login) is used for login and user_nicename is used to create author permalink. Username is chosen by user (or administrator), but user_nicename is an automatically generated, url sanitized version of user_login. Simply put, if there is no special characters in username, user_nicename is username.
Without extra protection, user_nicename can be obtained via author query. I.e., the username for login.
To login to a website, one requires username & password. When insecure easy password is used, hacker can easily test out a valid login using a real user login (abtained via author query) and a popular passwords list downloadable from the Internet. If you are interested in learning more about this, you can check my other post on this subject: WordPress security with WPScan: Username.
The bad news: user_nicename is not user changeable at WordPress admin dashboard.
“Is it that serious”? One may ask this question. Well, let’s check it out.
I use a plugin called “Limit Login Attempts” as one security measure to tighten up the security on WordPress website. It limits the user login attempts, which very effectively helps in against brute-force attack.
The plugin offers a very important piece of information, an IP lockout log. It shows you in each lockout, what usernames have been used to login from which IP.
When I started to noticed real usernames were used to login by hackers (judged from IP), I changed the user_nicename so it is different from user_login. Very predictable, usernames showed in lockout records then changed to the new user_nicenames.
Apparently, hackers are using the default setting, which is conveniently accessible on most WordPress website default installation, to obtain the legit login username as their 50% of the key to start the brute-force attack. We need to stop this.
How to check and change user_nicename
I use phpMyAdmin. For WordPress developer, this requires no further introduction.
For website with only a handful of users, the easiest way is to edit the user_nicename value in the database directly.
For website with more than handful of users, manual edit becomes tedious or even impossible. If so, here is the command I use to speed up. This command is useful when user display name is provided and different from username. For example, my username is: iamwebmaster, and the display name is “Jerry Wang”. I can then compose the user_nicename to jerry_wang instead of using my real login username.
(It is a SQL command. Know what you do, use with caution.)
UPDATE wp_users SET user_nicename = LOWER( REPLACE( display_name, ' ' , '-') ) WHERE user_login=user_nicename
Security is really NOT just few tips and tricks, it is all about the right concept and good habit. As long as you follow the right security practice, have the right security measures applied on WordPress website, choose the right (strong) password as recommended. You are in a better position protecting yourself.
If you simply repeat what others tell you, no “admin” user, but don’t know why. Your site can get hacked easily even you don’t have an “admin” administrator user.
If you don’t believe, try this out: