As experienced WordPress security specialists, we've seen hackers rely on brute force attacks to breach sites. These automated tools scan for vulnerabilities, often starting with author pages to guess usernames. At our agency, we use Sucuri to actively block malicious traffic, but adding extra layers like blocking author scans strengthens your defenses. Here's our proven method to discourage these bots.
Note: If you're using Google's limited login attempts and two-factor authentication, you're already well-shielded from brute force risks.
Brute force bots first hunt for usernames via author identifiers—often matching WordPress logins. Discovering a username halves their effort, letting them hammer password combinations. Pretty permalinks help, but bots still probe query strings like ?author=ID.
To block these scans, add this code to your site's root .htaccess file:
# Block Author Scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} author=([0-9]+) [NC]
RewriteRule .* - [F]
# End Block Author ScansThis forbids bots from enumerating authors via query parameters while allowing human users to access clean author archive URLs (e.g., /author/username/). We've implemented this on client sites running Sucuri without issues.
This step won't stop determined attackers but raises the bar significantly. Pair it with Sucuri for real-time protection and regular backups. Here are 5 reasons we trust Sucuri.
Tip submitted by: Ian Armstrong