You might wonder where attackers get your WordPress admin username from and how do they find it so quickly? There are two places where the admin name is shown.
- In posts. If you create posts under admin, your admin username will be displayed there at the author of the post.
- In /wp-json/wp/v2/users json file. Add this line to end of your domain you will see an unformatted list.
To address the first situation you can create an alias for your admin account and that will be used in your blogs posts instead of the real admin name. Some familiarity with MySQL commands is necessary. The value you will need to change in the DB is called ‚user_nicename‘. Here’s an article that outlines it.
An easier way is to never create any posts under an admin user. Your site might have multiple admin users for various users. Try not to post anything under those account. There are other user roles like: editor, author, contributor that can and should be used for creating posts!
The second situation with the json page can be resolved using a plugin. The WP Hardening plugin or Disable WP REST API will do the trick for you. You can also do it manually as described here. But keep in mind that most web hosting providers use REST API from and for their control panels to manage your site, provide support, update things, etc. Disabling REST API will break all of their functionality and you will be on your own.
We created our Premium service so that people don’t have to do any manual work and be well protected nonetheless!