You’ve taken all the security measures to hide your WordPress login and admin screens from hackers. You’ve also changed your default usernames and removed them from your theme. You still think that you are fine! Now, there’s no way a hacker can find your login usernames. Well think twice! You are wrong! Find below 2 methods that hackers can use to find your WordPress’ usernames just with a simple scan!

  1. Using /?author=1 Query Parameter
    1. Fix: Adding a Code Snippet to WordPress
  2. Using WordPress JSON REST Endpoint:/wp-json/wp/v2/users/1
    1. Fix: Disable via Code

1: Using /?author=1 Query Parameter: To fix this you will have to access your WordPress dashboard – Appearance – Theme Editor. On your right  panel look for the functions.php. JUST BE CAREFUL NOT TO MODIFY ANYTHING EXCEPT BY ADDING THE FOLLOWING SNIPPET OF CODE AT THE END OF THE FILE. Save. Refresh and test again.


function redirect_to_home_if_author_parameter() {

	$is_author_set = get_query_var( 'author', '' );
	if ( $is_author_set != '' && !is_admin()) {
		wp_redirect( home_url(), 301 );
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );

2: Using WordPress JSON REST Endpoint:/wp-json/wp/v2/users/1: To fix this you will have to do the same steps as before and add the following snippet of code at the end of the file. Save. Refresh and test again.


function disable_rest_endpoints ( $endpoints ) {
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    return $endpoints;
add_filter( 'rest_endpoints', 'disable_rest_endpoints');

Done! If you have any questions please don’t hesitate to reach out!