Securing Admin Accounts – Username Discovery

All we need is an easy explanation of the problem, so here it is.

We’ve had Limit Login Attempts installed for some weeks now, and the number of brute force attempts occurring on wp-admin/wp-login is pretty amazing. At first the attempts were all with the username “Admin,” which doesn’t exist on our site, so I considered it an annoyance but not much of a threat. However, now we’re seeing lockouts occurring with other named admin user accounts and I’m completely at a loss of understanding for how the attackers are deducing the usernames of these accounts.

No content on our site is authored by anyone in particular and I can’t find any other location on our site where these usernames are publicly published.

Any idea as to how usernames might be discoverable?

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

If you have pretty permalinks enabled WordPress will redirect all calls to /?author=1 to the author archive with the user name, eg.: /author/bob/. And then the visitor will know the author name.

Use Login Lockdown, that plugin does not reset accounts, it will block IP addresses.

Method 2

Clever buggers. I think I am just going to redirect requests to /?author=. Sound reasonable? Something like:

add_action( 'template_redirect', 'my_author_redirect' );
function my_author_redirect() {
    if ( is_author() ) {
        wp_redirect( get_bloginfo( 'url' ), 301 );
        exit;
    }       
}

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply