What Are Author Scans in WordPress?
Author scans are automated attempts to reveal usernames on your WordPress site by adding query strings like:
- https://yourdomain.com/?author=1
- https://yourdomain.com/?author=2
If your site doesn’t block these scans, WordPress will redirect them to author archive pages, exposing the real usernames of registered users, especially admin accounts. Hackers then use those usernames to launch forceful login attacks by guessing passwords over and over again.
Why Are Author Scans Dangerous
|
Threat |
Potential Impact |
|
Exposed usernames |
Makes admin accounts easier to target |
|
Brute-force attacks |
Hackers repeatedly guess login credentials |
|
Account takeover |
If weak passwords are used, attackers gain access |
|
Site defacement or shutdown |
Once in, hackers can damage or delete content |
Even if you’ve secured your login with a strong password, exposing usernames gives attackers half of what they need.
How to Block Author Scans through WordPress Manager
STEP 1: Log in to your cPanel.
There are three methods to log into your cPanel.
- Method 1: Log in to your cPanel directly.
- Method 2: Log in to your cPanel through your Customer Portal.
Through your Customer Portal;
- Log in to your Customer Portal.
- Click on "Log in to cPanel".
- Method 3: Log in using the details sent to your Email.
Through your Email;
- When you purchase a hosting plan, your cPanel login details (including username, password, and cPanel URL) are automatically sent to your registered email address. Simply check your inbox (or spam folder), locate the email, and use the provided credentials to access your cPanel.
STEP 2: Locate the Software section and click on Softaculous Apps Installer.
STEP 3: Click the box for Installations.
An alternative is to select the “All Installations” icon from the menu in the upper-right corner.
STEP 4: Click the WordPress icon next to the installation you want to manage.
STEP 5: In WordPress Manager, select the website you want to secure.
STEP 6: Tap on the Security Measures section.
STEP 7: Checkmark the box for “Block author scans”, and click Apply.
This security measure:
- Prevents author-based URL enumeration.
- Blocks malicious bots trying to discover your admin login.
- Keeps your login page and users more secure.
NOTE: If your site uses author archive pages (e.g., blog pages like /author/john-smith/), blocking author scans may disable public access to those pages. If this is critical to your content strategy, you may skip this setting or configure it manually to block only bots (not humans).
How to Test If Your Site Is Vulnerable
Type the following in your browser:
- https://yourdomain.com/?author=1
If it redirects to /author/username/ — your usernames are exposed.
If it shows a 404 or redirects back to the homepage — you’re protected.
Frequently Asked Questions (FAQs)
Q: Will blocking author scans affect my SEO?
Only if your theme relies heavily on author archive pages for traffic. For most business, store, or portfolio sites, it has zero negative SEO impact.
Q: Can I still manage users and authors from the backend?
Yes. This only affects public URL access, not the WordPress dashboard.
Q: What if I need to show author archives?
Use an SEO plugin like Rank Math or Yoast to display public author bios without exposing login usernames.
If you need help, kindly reach out to LyteHosting support.
