As a WordPress site owner, you know how important it is to keep your site secure from hackers. One of the most common threats you face is brute force attacks, where attackers use automated tools to repeatedly guess login credentials until they find a way in. It‘s a crude but often effective tactic, as the WordFence 2022 WordPress Security Report found that brute force attacks made up 81% of WordPress attack attempts, with 1.6 billion attacks blocked per month.
A key way that hackers identify targets for brute force attacks is through author scans. WordPress sites have author pages at predictable URLs like yoursite.com/author/username that display all posts by that user. By scanning for these pages, attackers can quickly harvest a list of usernames to feed into their brute force tools. It‘s like they‘re able to peek at your username half of the login form, so all they have to do is guess the password.
Fortunately, blocking author scans is a simple yet powerful way to hide this information from attackers and reduce the risk of brute force attacks. In this guide, I‘ll walk you through exactly how to implement author scan blocking on your WordPress site, step-by-step.
How to Block Author Scans in WordPress
The easiest way to block author scans is by adding a few lines of code to your site‘s .htaccess file, which is a configuration file used by Apache web servers. Here‘s the code snippet you need:
# Block WordPress author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (^|&)author=\d
RewriteRule ^ - [L,R=403]Here‘s what this code does:
RewriteEngine On: This enables the rewrite engine that allows for URL manipulationRewriteBase /: Sets the base path for the rewrite rulesRewriteCond %{QUERY_STRING} (^|&)author=\d: Looks for URLs that includeauthor=followed by a number, which indicates an author pageRewriteRule ^ - [L,R=403]: If the above condition is met, this rule blocks access to the URL and returns a 403 Forbidden status code
To implement this on your WordPress site:
- Log in to your site via FTP or your hosting control panel‘s file manager
- Navigate to your WordPress installation directory (typically
public_htmlorwww) - Look for the
.htaccessfile and download a copy as a backup - Open the
.htaccessfile for editing - Paste the code snippet above at the bottom of the file
- Save the changes and re-upload the file if using FTP
- Clear your browser cache and re-test your site to make sure it‘s working
If your site uses Nginx instead of Apache, you can still block author scans by adding this code to your site‘s configuration file:
location = /author/ {
return 403;
}
location ^~ /author/* {
return 403;
} Some WordPress security plugins like Wordfence and iThemes Security also have built-in options to block author scans as part of their brute force protection features. For example, in Wordfence, you can enable author scan protection under "Firewall > Brute Force Protection." This can be a quick alternative if you‘re not comfortable editing .htaccess.
The Benefits and Risks of Blocking Author Scans
By blocking author scans, you‘re essentially hiding half of the information attackers need to break into your site. Instead of just having to guess passwords, they now have to guess both usernames and passwords, which is a much harder task. Research by the WP White Security team found that blocking author scans can reduce brute force attacks by up to 96%.
However, it‘s important to note that blocking author scans is not a complete solution to brute force attacks. Determined hackers may still try to guess common usernames like "admin" or find other ways to enumerate users, such as from post author pages, user profile links, or the WordPress REST API. Author scan blocking should be one part of a multi-layered approach to WordPress security.
There‘s also a potential SEO and usability impact to consider. When you block direct access to author pages, it can result in 404 errors for users and search engine bots that try to access those URLs. Over time, this could hurt your SEO as search engines may see your site as having thin or low-quality content.
To mitigate this risk, I recommend using an SEO plugin like Yoast SEO or Rank Math to set a canonical URL on author pages pointing to your homepage. This tells search engines that your homepage is the main version of the content, avoiding duplicate content and low-quality page issues. You can also consider changing your WordPress permalink structure under "Settings > Permalinks" to remove author names from the URL string altogether.
Block Author Scans as Part of a Complete WordPress Security Strategy
While blocking author scans can certainly improve your WordPress security, it‘s most effective as part of a comprehensive strategy to harden your site against attacks. Here‘s a quick overview of other security best practices I recommend:
| Security Measure | Description |
|---|---|
| Strong passwords | Use long, random, unique passwords and never reuse passwords across sites. Consider a password manager like LastPass or 1Password. |
| Two-factor authentication | Enable 2FA for all WordPress user accounts. The Two-Factor plugin makes this easy. |
| Limit login attempts | Install a plugin like Limit Login Attempts Reloaded or Login Lockdown to block users after a certain number of failed login attempts. |
| Update regularly | Always update to the latest versions of WordPress core, themes, and plugins to patch known vulnerabilities. Consider enabling auto-updates or using a management tool like ManageWP. |
| Security plugins | Install a comprehensive security plugin like Wordfence, Sucuri Security, iThemes Security, or Jetpack to add extra protection. |
| Harden WordPress | Implement WordPress hardening best practices like disabling file editing, protecting wp-config.php and .htaccess, changing the database prefix, disabling XML-RPC, and more. See the WordPress Codex Hardening guide for a full list. |
| Monitor for threats | Regularly scan your site for malware, unauthorized changes, and suspicious activity. Most security plugins include malware scanning and email alerts. |
| Backup regularly | Make sure you have complete, automatic backups of your WordPress files and database that you can quickly restore in an emergency. Use a plugin like UpdraftPlus or BackupBuddy. |
By combining author scan blocking with these other security measures, you can build a strong defense against brute force attacks and other threats. While no site is 100% secure, these steps will make it much harder for hackers to compromise your site and limit the damage if they do get in.
Wrapping Up
Brute force attacks continue to be a major threat to WordPress sites, and author scans are a key way that hackers identify targets. By adding a simple code snippet to your .htaccess file or installing a security plugin to block author scans, you can hide usernames from attackers and significantly reduce your risk.
Remember, security is an ongoing process. Stay on top of updates, monitor your site for signs of trouble, and make backups frequently. By being proactive and layering multiple defenses, you can keep your WordPress site safe so you can focus on creating great content and serving your audience.
Key Takeaways:
- Author scans allow hackers to easily find usernames to target in brute force attacks
- Block author scans by adding code to your
.htaccessfile or using a security plugin - Use canonical URLs or change permalink structure to avoid SEO issues from blocking author pages
- Combine author scan blocking with other WordPress security best practices for a strong defense
- Be proactive and treat security as an ongoing process, not a one-time fix
If you have any questions about implementing author scan protection on your WordPress site or other security concerns, feel free to get in touch. I‘m always happy to help my readers keep their sites safe. Stay secure out there!
