WordPress.org

Ready to get started?Download WordPress

Forums

Hacking Attempts - Hide username? (6 posts)

  1. eyesi
    Member
    Posted 1 year ago #

    I have the "Login Lock" plugin installed and I regularly receive emails telling me that there's been a malicious attempt to log in to my site. I'm not usually concerned by this because I have the plugin set to only allow 4 login attempts then ban the IP address for a week.

    Also the attempts usually target the username "admin" which I don't use. I have a completely unique username and, in the user profile settings, I have it set to publicly display a different nickname.

    Just recently however I have noticed a couple of attempts to login using my unique username which is not publicly visible. How is it possible for someone to discover this username and how can I protect it from being seen?

  2. runnerb0y
    Member
    Posted 1 year ago #

    The post author and comments author is visible if you look at the source code on a page. I'm also looking for a way to hide/eliminate this information. On my blogs it's really not needed and when I was running a much older version of WP (3.0.5 I think) I was able to strip this information out. The trick no longer works. :-(

  3. Have you looked at the latest code poet resource? - http://build.codepoet.com/2012/07/10/locking-down-wordpress/

    There might some good info in there.

  4. mvandemar
    Member
    Posted 1 year ago #

    The Codepoet pdf doesn't contain any info pertaining to that. @runnerb0y, I am not sure which trick you were using, but if you remove all references of the_author(), the_author_link(), get_the_author(), and any the_author_meta() calls that invoke 'user_login' (ie. "the_author_meta( 'user_login' )" ) from your theme then it should no longer appear anywhere.

  5. eyesi
    Member
    Posted 1 year ago #

    I recently found the answer to this problem. Basically you edit your .htaccess file to include the following line: -

    RewriteRule ^author/(.*)$ http://www.[your domain URL]/ [R,L]

    This prevents people from entering: -

    http://www.[your domain]/?author=1 …?author=2 etc. This will reveal the author's username but the .htaccess rule will redirect them to the home page.

    The discussion that provided that answer can be found here: -

    wp security checklist

  6. MickeyRoush
    Member
    Posted 1 year ago #

    You may want to check out my old post here:
    http://wordpress.org/support/topic/some-wannabe-hackers-found-my-admins-login-any-ideas-about-it?replies=12#post-2826181

    I'm the person that came up with that first RewriteRule. And it doesn't work against /?author=1

    It works for finding the authors archives, which may or may not be using their username. It maybe using their nickname which can be different if you choose.

    If you want to block phishing the author by ID you'll need to do something like this:

    RewriteRule \?author=\d+ http://example.com [R=301,L]

    Where example.com is your domain.

    Or just use this plugin:
    http://wordpress.org/extend/plugins/wp-author-slug/

    If you use that plugin, just make sure your Nickname is different from your Username and make sure that your Nickname is the name set to:
    "Display name publicly as"

Topic Closed

This topic has been closed to new replies.

About this Topic