Switchboard DOCS
Docs
Get Started Get Lifetime Deal

Obfuscate Author Slugs

WordPress makes it easy to discover usernames. Just visit /author/admin/ or /?author=1 and you’ve found a valid username to target. Attackers use this for brute force attacks — they know the username, now they just need to guess the password. This module replaces readable usernames in URLs with random hashes, making enumeration much harder.

Use Cases

  • Hide admin and editor usernames from author archive URLs
  • Block the /?author=1 enumeration trick
  • Protect multi-author blog contributor usernames
  • Add a layer of obscurity to slow down targeted attacks
  • Keep author identities private on pseudonymous sites

How It Works

This is a toggle module — enable it and author slugs are automatically obfuscated. No configuration needed.

When enabled:

  1. Author links are rewritten to use a 10-character hash instead of username
  2. Author archives still work — the hash resolves to the correct author
  3. The /?author=1 parameter enumeration is blocked
  4. Existing links using real usernames stop working

What Changes

LocationBeforeAfter
Author archive URL/author/johndoe//author/a4f7d2e1b9/
Post author linkshref="/author/johndoe/"href="/author/a4f7d2e1b9/"
Author enumeration/?author=1 shows usernameShows obfuscated hash

Example

Before:

yoursite.com/author/admin/
yoursite.com/author/johndoe/
yoursite.com/author/editor-jane/

After:

yoursite.com/author/8f4e2a1d9c/
yoursite.com/author/3b7c9f2e5a/
yoursite.com/author/1d6a8e4f2b/

How the Hash is Generated

Each author’s hash is created from:

  1. Their WordPress user ID
  2. Your site’s AUTH_KEY from wp-config.php
  3. MD5 hashing, truncated to 10 characters

This means:

  • The same author always gets the same hash (consistent URLs)
  • Different sites have different hashes (can’t guess from one site to another)
  • Hashes can’t be reversed to reveal the username

Verification

After enabling:

  1. Visit your blog and check any “Posted by” links
  2. The URL should contain a hash like /author/a4f7d2e1b9/
  3. Click the link — should load the correct author’s posts
  4. Try visiting /author/admin/ directly — should 404
  5. Try yoursite.com/?author=1 — should resolve to hash URL

What About the Author Name Display?

This module only changes URLs/slugs. The author’s display name shown on posts is unaffected:

  • URL: /author/a4f7d2e1b9/ (obfuscated)
  • Display: “Posted by John Doe” (unchanged)

If you want to hide author names entirely, that’s a separate theme customization.

FAQ

Will this break existing author links?Yes. Old links using the real username (/author/johndoe/) will return 404. The new hashed URLs are the only working author archive URLs. Search engines will need to reindex the new URLs.
What if I disable the module later?Author URLs will revert to normal usernames. Any links to the hashed URLs will then 404. Enabling and disabling frequently isn’t recommended.
Do the hashes ever change?Only if your AUTH_KEY changes (rare) or if a user’s ID changes (shouldn’t happen). Under normal operation, each author’s hash stays consistent.
Can attackers still find usernames?

The author display name is often still visible on posts (theme dependent). This module protects against URL-based enumeration, not all username exposure. For maximum protection, consider also:

  • Using display names different from usernames
  • Disabling author archives entirely (separate module)
Does this work with custom author bases?Yes. If you’ve changed your author base slug (e.g., /writer/ instead of /author/), the obfuscation still applies to whatever base you’re using.
What about sites with thousands of users?The module limits lookups to 1,000 users for performance. On sites with more users, some author archives may not resolve correctly. For very large sites, consider disabling author archives entirely instead.
Will this affect SEO?There’s a transition period where search engines need to reindex. Old author URLs will 404, new ones need to be discovered. For established sites with significant author archive traffic, consider the SEO implications before enabling.

Limitations

  1. Display names visible: Author names shown on posts are theme-controlled, not affected by this module
  2. REST API: If REST API is public, usernames may still be exposed via /wp-json/wp/v2/users — consider the Disable REST API module too
  3. User limit: Performance-optimized for sites with under 1,000 users
  4. Breaking change: Enabling changes all author URLs immediately

For maximum username protection, combine this module with:

  • Disable REST API — prevents API-based enumeration
  • Disable Author Archives — removes author pages entirely
  • Hide WP Version — reduces information exposure overall

This is “security through obscurity” — one layer of defense. It makes enumeration harder but doesn’t replace strong passwords and limited login attempts. Use alongside other security measures.

PRO

Get access to all 147 modules with a single license

Upgrade to Pro
Prev
Default OG Image
Next
Email Obfuscator