Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

How to Discourage Brute Force by Blocking Author Scans in WordPress

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

A common technique used by hackers to gain unauthorized access to websites is called ‘Brute Force’. Using this technique, hackers use software designed to scan a website for vulnerabilities and gain access by exploiting any of them. We use Sucuri for security of our websites because they actively block malicious requests. One common entry point that these brute force bots try to exploit is by running an author scans. In this article, we will show you how to discourage brute force by blocking author scans in WordPress.

Note: If you are using Limit Login Attempt and Google Authenticator, then you are pretty well-protected against brute-force attacks.

First lets understand what these brute force attempts are trying to do. At first they try to find a username on your blog or the author id. Often username used to sign into WordPress and the author name are the same. Once they find a username, then this solves 50% of the puzzle. Now they brute force your site to crack the password by trying various different password combinations.

To block author scanning on your website, simply add this code in .htaccess file in WordPress root directory.

# BEGIN block author scans

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

# END block author scans 

This will block bots from running author scans on your website. Your website users can still access the author pages, but bots will not be able to do so.

We hope that you found this tip useful. We want to emphasize that this does not prevent brute force attacks. This is just a cautionary step that you can take to discourage the hacker. When someone desperately wants to attack your site, then they will find a way to do so. We strongly recommend that you use Sucuri and keep regular WordPress backups. P.S. here are 5 reasons why we use Sucuri.

This tip was sent by: Ian Armstrong

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

13 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Julian says

    Hello. The code to block author scans caused a 404 error on some pages. After removing this code from my .htaccess file, the pages loaded successfully. I used this code on 2 sites with the exact same results.

    I understand this tutorial was published 5 years ago, can you please consider updating it?

    • WPBeginner Support says

      No it will not. It will only block if a bot is trying to access the author url using query string. Search and adsense crawlers crawl pages by accesing links on your site. If you are already using pretty permalinks then your author URLs will be accessible to search engines with a link like /author/Sanskar


  3. lando says

    Hi wpbeginner,

    How do I verify if the code works? I have added the code at the very bottom of my .htaccess file.


  4. Keith Davis says

    Thanks for this one guys
    Nice and easy to add that to .htaccess.

    I use the limit logins and I recently found a great plugin called Simple Firewall, which adds a GASP checkbox to your login panel.

    I’m with you guys about using Sucuri – pretty cheap when you think about it and if you use it on several sites, price per site is even cheaper.

  5. Zimbrul says

    I never use the same user for the blog author and the site admin as the author link and username can be easily found out. Usualy the admin is a 22+ characters username with a 22+ characters password and a very difficult to guess email address. This will take years to guess. And I also got the Limit login plugin… I don t use Google authenticator as this forbid me to log on a website using the WordPress application for mobile.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.