Title: Database Username (user_nicename) Last modified: February 14, 2021 --- # Database Username (user_nicename) * Resolved [eddyferns](https://wordpress.org/support/users/eddyferns/) * (@eddyferns) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/) * Hi, * Needed to know how does NFW hides Database Username (user_nicename) in user enumeration security. * Regards, Ed Viewing 10 replies - 1 through 10 (of 10 total) * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14053296) * Hackers search for user_login because they can use it to run brute-force attacks, but not user_nicename. You want to hide it from what type of user enumeration attempt? * Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/) * (@eddyferns) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14053352) * user_nicename has the WordPress login username. The following displays the user_nicename( WordPress login username). Obviously one can change the user_nicename but I need to know how NFW removes or hides this for Nginx. * [https://domain.com/author/john/](https://domain.com/author/john/) via [https://domain.com/?author=1](https://domain.com/?author=1) * [https://domain.com/wp-json/wp/v2/users/?per_page=100&page=1](https://domain.com/wp-json/wp/v2/users/?per_page=100&page=1) - This reply was modified 5 years, 3 months ago by [eddyferns](https://wordpress.org/support/users/eddyferns/). * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14055735) * This is blocked by “Firewall Policies > Protect against username enumeration > Through the author archives”: * > [https://domain.com/author/john/](https://domain.com/author/john/) via [https://domain.com/?author=1](https://domain.com/?author=1) * This is blocked by “Firewall Policies > Protect against username enumeration > Through the WordPress REST API”: * > [https://domain.com/wp-json/wp/v2/users/?per_page=100&page=1](https://domain.com/wp-json/wp/v2/users/?per_page=100&page=1) * Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/) * (@eddyferns) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14056220) * I am aware of these options. * Was referring to the code that you use. Whether you you utilize rewrite rules, if statements etc. * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14056367) * We don’t use rewrite rules in NinjaFirewall, they all can be easily bypassed and wouldn’t work with Nginx. The firewall hooks into WordPress API instead, that’s much more efficient and compatible with any HTTP server. * Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/) * (@eddyferns) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14056582) * The rewrite rules worked with Nginx as I tried it myself. But Nginx strongly recommends against it. * As long as NFW doesn’t involve the server I think that should be alright. * Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/) * (@eddyferns) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14059339) * For [https://domain.com/?author=1](https://domain.com/?author=1), does NFW redirects to the home page? * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14064207) * That’s correct. As indicated in [the doc](https://blog.nintechnet.com/securing-wordpress-with-a-web-application-firewall-ninjafirewall/): * > This option will prevent access to the author archives page. Note that NinjaFirewall > will not block the request but will invalidate it and redirect the user to > the blog index page. The reason is that search engines such as Google may try > to index that page and it is better to nicely redirect them rather than returning > a 403 Forbidden message and closing the connection. * Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/) * (@eddyferns) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14064384) * I heard that in case of a redirect the bot scanners do not follow the link but instead pick the author name which then doesn’t meet the security objective. * If that is the case wouldn’t it be better to return a blank page instead? * Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/) * (@nintechnet) * [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14067369) * Bots will search for the user name in the HTML page, but here they won’t find it. Viewing 10 replies - 1 through 10 (of 10 total) The topic ‘Database Username (user_nicename)’ is closed to new replies. * ![](https://ps.w.org/ninjafirewall/assets/icon-256x256.png?rev=976137) * [NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall](https://wordpress.org/plugins/ninjafirewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/ninjafirewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/ninjafirewall/) * [Active Topics](https://wordpress.org/support/plugin/ninjafirewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/ninjafirewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/ninjafirewall/reviews/) * 10 replies * 2 participants * Last reply from: [nintechnet](https://wordpress.org/support/users/nintechnet/) * Last activity: [5 years, 3 months ago](https://wordpress.org/support/topic/database-username-user_nicename/#post-14067369) * Status: resolved