WordPress is a CMS that basically does not hide the user ID = login ID. This means that a hacker attempting to gain unauthorized access to the site can log in as long as they know the password. We will explain how to completely hide your WordPress administrator ID.

There are three ditto lines where the WordPress user ID is displayed (or included in the HTML code)

There are three types of ties where a WordPress user ID can be mechanically or visually obtained by a hacker.

1 The user ID is displayed as a contributor on the display page of each post.

2 The author’s page when the query author=number is added to the URL.

3 JSON data output via wp-json/wp/v2/users/number ?rest_route=/wp/v2/users, etc. when the query is given to the site URL

*In addition, some plugins (Yoast SEO) output user IDs.

We will explain how to hide user IDs for each of these plugins.

1 Solving the problem of user IDs being output on the display page of each post

The easiest solution here is to specify a different nickname and display name from the login ID on the user’s profile edit page.

2 Disable access to the contributor’s page when the query author=number is given in the URL.

WordPress automatically generates a page that lists the contributors’ articles. If the contributor and the administrator are the same, the administrator’s user ID = login ID will be exposed from this page.
You can force the author page to be disabled by adding the following to your HTACCESS file.

The HTACCESS file is a configuration file that is placed on the server and can be rewritten by accessing the WordPress server with FTP software.

RewriteEngine On
RewriteCond %{REQUEST_URI} ! ^/wp-admin [NC].
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

3 JSON data output

You can suppress the JSON data output of WordPress user-related information by including the following code in your theme’s functions.php.

add_filter('rest_endpoints', function( $endpoints ) {
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] ); }
    }
    if ( isset( $endpoints['/wp/v2/users/(?P [\d] )'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P [\d] )'] ); }
    }
    return $endpoints; }
});

*2, 3 measures are
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

You can easily do this with the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Is it dangerous to expose my WordPress user ID?

Hackers use brute force attacks to repeatedly enforce logins in an attempt to gain administrative privileges. Even if the WordPress user ID is exposed, this brute force attack will not succeed if the password is strong enough, so there is no danger just because the WordPress user ID is exposed.

The most dangerous security risk is a weak user password.
We recommend that you change your password to one that is at least 14 characters long, meaningless, and contains at least one alphanumeric symbol.

Characteristics of Dangerous Passwords
1 Less than 6 characters
2 Meaningful words
4 Meaningful words + short sequence of numbers
5 Passwords containing administrator ID
6 Passwords that contain only letters or numbers
7 Passwords that follow the order of the keyboard (e.g., qwerty)
8 Part of a meaningful word with a number (e.g., passw0rd)
9 Names of famous people
10 Passwords with the same sequence of letters

We hope this helps you.