WordPress User Security

Out-the-box, WordPress has a weakness when it comes to user security.

Attempts to login with a valid username (but incorrect password) gives away that an account exists with that username; and author archives use the user login as the URL in the format site.com/author/{username}

I’ve put together a quick plugin that remedies these issues; this:

  • Disguises login errors with a generic message
  • Disables author archives
  • Changes author links to the homepage
  • Changes author posts links to the site name / site URL

It’s pretty basic stuff but has lead to a 300% decrease in login attempts using a valid username on this site alone.

Continue reading WordPress User Security