PluginsArmorProCitedProBoostPro
ServicesPricingDocsBlogAboutTools
My Account

Obfuscation & Hardening

Author slug obfuscation, email address encoding, and user enumeration prevention.

Last updated Feb 21, 2026

Overview

ArmorPro includes obfuscation features that hide sensitive information from attackers and bots. These features make it harder for automated tools to discover usernames and harvest email addresses from your site, reducing the attack surface for brute force attempts and spam.

Author slug obfuscation

Setting:author_slug_obfuscation (enabled by default)

Why it matters

Attackers commonly enumerate WordPress usernames by visiting /author/1/, /author/2/, and so on, or by querying the REST API at /wp-json/wp/v2/users. Once they have valid usernames, they use them for targeted brute force attacks. Obfuscating author slugs removes this reconnaissance vector entirely.

How it works

When enabled, ArmorPro replaces each user's real author slug (which is typically their username) with a randomly generated UUID. This affects the site in several ways:

  • Author archives are accessible via /author/{obfuscated-uuid}/ instead of /author/{username}/
  • Direct requests to /author/{username}/ are blocked, returning a 404
  • Author links throughout your site (post bylines, author pages) are automatically rewritten to use the obfuscated slug
  • REST API user objects have the slug field removed, preventing username discovery via the API

The obfuscated UUIDs are stored in the armor_author_slugs database table, mapping each user ID to a unique random UUID. These UUIDs persist across page loads and are only regenerated if you disable and re-enable the feature.

Email obfuscation

Setting:email_obfuscation (enabled by default)

How it works

When enabled, email addresses that appear in your post content are replaced with encoded HTML entities. A small JavaScript decoder is added to the page footer that converts the encoded entities back into readable, clickable email links for human visitors. Automated scraping bots that parse raw HTML will only see the encoded characters and cannot harvest the email addresses.

Scope

Email obfuscation applies to post content only, via the the_content filter at priority 999. It does not affect:

  • The WordPress admin area
  • Post metadata or custom fields
  • Emails in widget content or theme templates
  • Emails sent via wp_mail()

Tip

Both obfuscation features are enabled by default. Unless you have a specific reason to disable them (such as a custom author archive integration), leave them on for maximum protection.

Important

Author slug obfuscation changes your author archive URLs. If you have external links pointing to /author/username/, those links will return 404 after enabling this feature. Update any external references to use the new obfuscated URLs.

Previous← Security HeadersNextEmail Notifications →