If you’re a hacker then WordPress is one of the most common CMS and blog platforms on the planet. As I write this reminder I’m using WordPress 3.9.
To get access to a WordPress admin area you need two things, a username and password. And without taking precautions WordPress makes it fairly easy for a hacker to get your username.
On many WordPress websites you will see a blog post with the name of the author attached, rather like this one. If you hover over the “by Dave Walker” section you’ll see the link to where WordPress wants to take you to the author page. Unfortunately by default when named permalinks are in place (and they should be for SEO purposes) the author page name is the actual user name!!
This is governed by the database field wp_users.user_nicename which is not updateable via the dashboard.
It makes sense to ensure that all user_nicename entries do not match the actual usernames.