WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Some wannabe hackers found my admin's login, any ideas about it ? (14 posts)

  1. Sabinou
    Member
    Posted 2 years ago #

    Hello everyone :)

    I've been using the ThreeWP Activity Monitor plugin to see if there were attempts to log in as admin on my blog, and it allowed me to notice something I didn't expect.

    I saw a dictionary attack (thousands of attempts to log in with a series of popular passwords) using my REAL admin's username.

    You see, as soon as my blog was created, I created another secret admin-powered user, with a rare username, and deactivated the "admin"-username account.
    This way, I thought, even with the right password, a hacker would need to know my username too.
    And yet, somebody found a way to know what my actual login was.

    I'm a bit confused, here, would you guys know if there's a way to know the username of the admin of a blog ?(So that I can disable it at once.)

    I post my shares under my admin username, however my posts' template doesn't show my admin's username.
    My blog plugins are all sound and still listed in the wordpress repository, with nobody reporting security issues with them, my template is a default one, a file-to-file binary comparison tool using folder comparison didn't find any suspicious edit in my blog files... So, what ?
    So... well, I don't know. I've read the usual "help! my blog has been hacked" pages, over time I've grown experienced in matters of wordpress security (I did plenty of mistakes from which to learn, haha), but, in the present case, I fail to find where I could have been at fault...

    Thanks if you've got an idea or a suggestion :)

  2. There may be an sql query out there to determine a login name; either that, or they guessed it. I've seen that happen, esp. if it was simply the first name of a contributor.

    I use http://wordpress.org/extend/plugins/limit-login-attempts/ and http://wordpress.org/extend/plugins/block-bad-queries/

    And http://wordpress.org/extend/plugins/redirection/ to log 404's and shut out bad IPs.

    Search the plugin directories for other security plugins. And see
    http://codex.wordpress.org/Hardening_WordPress

  3. Sabinou
    Member
    Posted 2 years ago #

    Thanks Songdotech, I'll definitely make use of the two first plugins you gave, they'll be damn useful :)

    May I ask what you mean, about the "there may be an sql query out there to determine a login name", do you mean : an sql query that a third party (meaning : NOT an insider, already a member with some user rank) could adress to my blog engine ?!?

    Lastly, just in case somebody with the proper relations (or you, Songdotech, haha= reads this, WordPress should REALLY allow something to help sysadmins, to physically log events to a text file.
    Why ? >> Fail2ban, the heavenly apache addition parsing given log files to automatically ban server-wide IPs generating more than a given number of a given set of expressions :)
    I am dead serious about this, if WordPress allowed such a feature, server security would get to another level.

  4. The could be a query out there that can be run by third parties to check if logins are valid. Or, they guess them, which sometimes isn't too difficult.

    Fail2Ban requires root access to install the softwware on a server, and that kind of access isn't available to users of shared hosts. Fail2ban can be used with WordPress for either logins or spam comments, but it has to be isntalled on the server. http://blog.shadypixel.com/spam-log-plugin/

  5. MickeyRoush
    Member
    Posted 2 years ago #

    I'm sure it's possible that there is some type of Google dork that may help determine WordPress admin usernames. Actually if you create any posts with your admin username WordPress will create author archives. It will show the actual username (not nickname - even if you choose that option). To test this theory try searching your site:

    hxxp://example.com/author/username/

    Where example.com is your site's url and username is your admin username. See what it returns. I've noticed that even if you choose the option to display your nickname (instead of your admin username) it will still show your username.

    You can't always rely on your robots.txt file to discourage bots from indexing those files either. And now that authors have the ability to get there image shown next to their blog, there maybe a reason for bots to look for the keyword 'author'. So you may or may not want to prevent this, but if you do, read on. Otherwise create a separate account to write up articles, etc that you don't mind being indexed.

    To prevent this, you can either use a RewriteRule with .htaccess or place this in your theme's functions.php:

    /* Redirect author archive pages */
    add_action('template_redirect', 'my_archive_template_redirect');
    function my_archive_template_redirect()
    {
        global $wp_query, $post;
    
        if (is_author())
        {
            $wp_query->set_404();
        }
    
        if (is_feed())
        {
            $author     = get_query_var('author_name');
    
            if (!empty($author))
            {
                $wp_query->set_404();
                $wp_query->is_feed = false;
            }
        }
    }

    You can actually redirect more, like archive dates, attachments, etc. You could also just redirect them to your home page instead of returning a 404 Not Found.

  6. MickeyRoush
    Member
    Posted 2 years ago #

    If you didn't want to redirect all authors, but just ones with the admin username, you could just add your admin username within the brackets like so:

    if (is_author('username'))

    or you could put this in your .htaccess above your WordPress permalink rules to redirect them to your home page.

    RewriteRule ^author/username/ http://example.com/ [R=301,L]

    Replace 'username' with the one your are wanted to prevent being seen and replace 'example.com' with your site url.

  7. Sabinou
    Member
    Posted 2 years ago #

    Hi, thanks you very much for the useful replies, everyone ! I'm grateful, and I'll be keeping a lot of this for reference :)

    I think the answer was much more mundane than I thought, it was straightforwardly displayed in my RSS feed, as a visitor reported to me ¬_¬

    I'll have to find how to customize the feed's output, I guess.

  8. MickeyRoush
    Member
    Posted 2 years ago #

    I also forgot this. You can possibly find out the admin user name by typing this in the url:

    http://www.example.com/?author=1
    http://www.example.com/?author=2
    http://www.example.com/?author=3

    If it returns something without error, it will display whatever you have set up in the Profile page in the box "Display name publicly as" in the page itself. And if you look in the browser tab, it will display the actual Username that you have set up in the Profile page.

    Usually a lower number will be an admin because it was most likely created when the site was being developed. I block this type of request at the php level, but you could try putting this in your .htaccess if you're having an issue with it:

    RewriteCond %{REQUEST_URI} \?author=\d+ [NC]
    RewriteRule .* - [F]
  9. @MickeyRoush said

    http://www.example.com/?author=1

    That works; it shows my author ID as user 1 even though I changed it in the database from admin to the current name.

  10. Sabinou
    Member
    Posted 2 years ago #

    Ew, so anybody can know the admin's true username :( Good info !

    So, in this post, we learn there are several ways for the anons to discover the admin's username, the feed, and various easy techniques, sigh :(
    I remember an old thread of mine (sadly, I never got new developments from the plugins devs), wordpress could do with slightly more paranoid security, haha.

  11. Really, any CMS is vulnerable any number of ways. It's the nature of the beast.

  12. MickeyRoush
    Member
    Posted 2 years ago #

    I'm still not sure if you should be highly concerned on someone discovering your admin username. Just make sure you follow the recommendation on password creation. I frequent different white/black/gray hat hacking sites and they all talk about how hard it is to crack WordPress user passwords.

    My problem here is that if you use a login limiting plugin or other code, kiddies could actually lock you out of your site or any other user for that matter with purposely failed attempts or irritate you and users by playing with the lost password function, which sends an email to the user every time it's used. As the developer of the site, you could always disable the plugin/code that limits the logins, but it would suck for any of your users who were hit with this attack as they would have to wait on you to fix it.

    I guess another point to be taken in consideration is that if the admin username can be easily discovered, what use is changing the default, except for script kiddies scouring the web targeting the username 'admin'? They can still possibly figure it out, even if you change the default.

    <I'm off to sip something with some caffeine so I can ponder this.>

  13. Microcap
    Member
    Posted 1 year ago #

    I tried your HTACCESS code to block access to admin names, but it did not work. Any other solutions to block names from being visible?

    'RewriteCond %{REQUEST_URI} \?author=\d+ [NC]
    RewriteRule .* - [F]'

  14. Andrew
    Forum Moderator
    Posted 1 year ago #

    The conversation has long ended.
    Create your own thread.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.