By default, WordPress allows a URL query to lookup system authors. This is done by simply entering the following after the site URL:
?author=1
From a WordPress perspective, the system will see the ‘author’ query in the URL and then try to match a username with that ID on the system, just like the system tries to find a post or page closest to the URL entered. Should it find it, it will redirect your user to the WordPress author page, which will contain the admin username.
Perhaps your admin username doesn’t have the ID of 1? That makes it harder to find the username, but by no means impossible, they simply need to change the URL ID number until they do, or write a script that checks all numbers in a range.
Once a potential hacker has identified the username of WordPress accounts, half their battle has been done and they only need to brute force the password to get access.
While many security plugins have a feature to block author scans, you can also add this functionality to your theme by adding the following in your themes’ functions file, or into a custom plugin:
function redirect_to_homepage_if_author_parameter() {
$is_author_set = get_query_var( 'author', '' );
if ( $is_author_set != '' && !is_admin()) {
wp_redirect( home_url(), 301 );
exit;
}
}
add_action( 'template_redirect', 'redirect_to_homepage_if_author_parameter' );This will simply redirect all Author queries in the URL to the site homepage, eliminating author pages from being served.
Hope that helps.
