You just launched a fresh WordPress site. No posts published. A completely new admin username. Then, hours later – boom. You start getting brute force login attempt alerts.
How did they find the username so fast?
It turns out, WordPress exposes more than most site owners realize. Fortunately, there are clear steps you can take to lock down your site and stop these attacks.
How Hackers Discover WordPress Usernames
Even if you’ve chosen an obscure admin username, bots and attackers use a range of automated methods to uncover it:
1. Author URL Scanning
WordPress assigns numeric IDs to authors. Visiting:
yourwebsite.com/?author=1
Often redirects to:
yourwebsite.com/author/yourusername/
This reveals the username in plain text.
2. REST API Exposure
Unless restricted, WordPress’s REST API allows public access to user data via:
ourwebsite.com/wp-json/wp/v2/users
This endpoint can expose all usernames with published content or other activity.
3. Metadata and RSS Leaks
Even if your admin hasn’t posted, the username can still appear in:
- Schema.org markup
- Open Graph meta tags
- RSS feeds
- Author link anchors in the theme
4. SEO and Theme Settings
Some SEO plugins auto-generate author pages or sitemaps, and many themes display author links by default – both can leak usernames unless configured otherwise.
Why It Matters
Once a hacker has your admin username, they only need to guess your password. That cuts the difficulty of brute force attacks in half.
Even if your password is strong, constant login attempts waste server resources and can open you up to eventual compromise.
How to Stop Hackers from Discovering Your Admin Username
Here are actionable steps you can take to prevent your WordPress site from leaking usernames:
✅ Use a Non-Publishing Admin
Create a second user account with Editor or Author permissions to publish content. Keep your true admin account for admin functions only – and never post with it.
✅ Disable Author Archives
Use your SEO plugin or .htaccess to block author archive URLs:
apache<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^author=[0-9]+$ [NC]
RewriteRule ^ - [F]
</IfModule>
In WordPress plugins like Rank Math:
- Go to Titles & Meta > Authors
- Disable the author archives
✅ Restrict the REST API
Block user-related endpoints by adding this to your functions.php:
phpadd_filter( 'rest_endpoints', function( $endpoints ) {
unset( $endpoints['/wp/v2/users'] );
return $endpoints;
});
✅ Disable XML-RPC
Many brute force tools use xmlrpc.php. Block it with:
apache<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
XML-RPC (short for XML Remote Procedure Call) is a feature in WordPress that allows remote access to your site.
It was originally designed to let external apps and services communicate with WordPress, for example:
- Publishing blog posts via mobile apps
- Connecting to services like Jetpack or pingbacks/trackbacks
- Performing remote actions without logging in via the browser
🛑 Why It’s a Security Risk
While XML-RPC has legitimate uses, it’s become a common target for hackers because:
- It allows multiple login attempts in a single request (useful for brute force attacks)
- It exposes a method to scan for valid usernames
- It can be abused in DDoS amplification attacks
Even if you’re not using it, XML-RPC is enabled by default in WordPress.
✅ Hide the Login Page
Use a plugin like WPS Hide Login to change the default /wp-login.php URL.
✅ Enable 2FA and Limit Login Attempts
Use plugins like:
- Wordfence
- iThemes Security
- Limit Login Attempts Reloaded
These stop brute force attempts and require second-step verification.
Want a Simpler Way? Use a Secure Platform Like UltimateWB
WordPress is flexible – but also complex when it comes to security. If you’d rather focus on building your website instead of constantly patching vulnerabilities, consider a platform that’s secure by design – and also extremely flexible too.
UltimateWB gives you advanced features with built-in protection:
🔒 Admin username is never exposed
🔒 Admin login URL is hidden by default
🔒 Brute force protection is built in
🔒 No REST or author archive leaks to worry about
You get total control without needing to install multiple security plugins or edit server files.
Final Thoughts
WordPress doesn’t intentionally leak your admin username – but it makes it surprisingly easy for bots to find. That’s why even brand new sites often get targeted within hours.
Whether you stick with WordPress or choose a more secure builder like UltimateWB, the key is proactive protection. Don’t wait until you get hacked – lock it down from day one.
Ready to build a secure and powerful website?
Explore reviews and ratings to find the best website builder for your needs at ChooseWebsiteBuilder.com!
