Your WordPress site comments are giving information to hackers

Published 23 May 2015 in Blogging, Security, WordPress by ZigPress

Something I recently discovered: if you run a WordPress site and make a comment on a post yourself while logged in, information relating to your username is added to the HTML that makes up the comment when displayed on the post page.

Specifically, a version of your username that WordPress calls ‘user_nicename‘ is added to the CSS classes of the comment’s <LI> element. For example, if my user login for this site was ‘ZigPress‘ (it isn’t), the word ‘zigpress‘ would be added to the classes of any comment I made on the site while logged in.

As you may have deduced from the above paragraph, your ‘user_nicename’ is derived from your username when your user account is created, and it cannot be edited from your profile in admin. It is NOT the same as the ‘Nickname’ that you can edit from your profile. Having this information in the HTML of your page gives a would-be hacker easy access to guessing the username of the admin user of the website, and reduces the amount of effort a brute-force attack would need.

The only way to change it is to do so directly using the database, and I would recommend strongly that you do so, now. You can change the ‘user_nicename’ completely safely without affecting any aspect of your site’s operation, apart from the URL of any ‘author’ archive pages on your site (these are in the format Not many sites use the author archive, and you’ll know if you do, so I don’t see this as being a big problem.


Log in to phpMyAdmin or whatever you use to access your site’s database.

Display the contents of the wp_users table (yours might not start with wp_), so you can see your admin user account’s ID. It will be a number, probably quite small, like 1.

Run a query like this:

UPDATE wp_users SET user_nicename = ‘abcdefgh’ WHERE ID = 1

Substitute your table name if different, ID if different, and put in a random set of characters for the new user_nicename, don’t just follow what I put. For example, if your table name is mywp_users and your admin account ID is 3, and you come up with ‘D8vhSB4nschD’ as a random string of characters, your query would look like this:

UPDATE mywp_users SET user_nicename = ‘D8vhSB4nschD’ WHERE ID = 3

Once you have run that query and got a result like ‘1 record affected’, you’re done. Any comments you make on posts on your own site while logged in will no longer leak information about your username.

After doing this, I recommend that you change the username you use to log in as well – you can do that in the same way, except that instead of changing user_nicename, you would change user_login.

Using Author Archives

If you do use the author archives and don’t really want a random string of characters in your author archive URLs, simply use a name which is sensible but not the same as your username. For example, if my user_login for this site was ‘andytaylor’ (it isn’t), I could choose to set my user_nicename to ‘andyt’. By doing this, hackers might try to login with the username ‘andyt’ but would always fail because they have no way of knowing that ‘andytaylor’ is the actual username used for logging in.


  1. On 25 May 2015 at 20:09, Farrell John Conejos said:

    If this information is true, then it is certainly best to share this to everyone, not only the website owners but for visitors as well. Thank you for posting this very useful and informative blog.

  2. On 29 May 2015 at 18:15, Disaster Recovery said:

    Great info thanks for sharing

  3. On 25 Jun 2015 at 10:29, Sofie Studsgaard said:

    Thanks, this is a big problem and therefore shared in on some sociale media sites. Actually wordpress should have more focus on the users anonymity. It make sense that admins etc can collect the IPs and so in case of abuse but otherwise as little information should be collected.

  4. On 25 Jun 2015 at 15:40, biogreen science said:

    if thats true . how to handle that. cause i cant separated between coment or maleware?

  5. On 19 Jul 2015 at 16:43, Chana said:

    Great read, thanks.

  6. On 28 Jul 2015 at 18:59, Jon said:

    Thanks for the heads up!

  7. On 01 Oct 2015 at 19:43, Gavi said:

    Great article, thank you for the tips! Definitely scary to know how easy it is for someone to hack into my site just by the name that is shown, following your tips now!

  8. On 29 Oct 2015 at 20:04, waqas said:

    Very informative post.Thanks for sharing.

Add a Comment

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email [email protected].