WordPress.org

Ready to get started?Download WordPress

Forums

[closed] WordPress Username Exposed? (11 posts)

  1. droimbai
    Member
    Posted 2 years ago #

    Hi there,

    I've changed my WordPress admin username to something that is cryptic, difficult to guess and never used elsewhere. However, I'm surprised that some hackers actually tried to login to my site using that username recently.

    My question is, how is it possible for them to know the username in the first place? My RSS feed displays only my first and last name, not my username. Are there other places in WordPress that has unintentionally exposed my username without me being aware? Would appreciate any advice.

    Thank you.

  2. droimbai
    Member
    Posted 2 years ago #

    I believe I've found the answer to my own question.

    It turned out that when I created the new user in WordPress, I didn't specify the nickname. So WordPress used the username as the nickname. But as to where this nickname is used in my blog so that hackers can locate them, I've no idea yet. I don't use nickname in my theme as far as I know. Would appreciate any advice.

    Thanks for your attention.

  3. michael.mariart
    Member
    Posted 2 years ago #

    I can't remember the URL that does it off the top of my head, but the authors profiles are available for the site pretty easy, and that shows the users details, which will include their username if there's no nick name set. Seeing as how it's teh main admin account it's easy to view that by asing something like '?id=1' to get the first user account that was set up, which is normally the main administration account.

  4. droimbai
    Member
    Posted 2 years ago #

    Thank you michael.mariart.

    I already have an About page. Is there a way to suppress the author profiles from showing up? Cheers.

  5. I've changed my WordPress admin username to something that is cryptic, difficult to guess and never used elsewhere. However, I'm surprised that some hackers actually tried to login to my site using that username recently.

    It doesn't help at all.

    What you're doing is security by obscurity, and you can hide it all you want, but if you're using a strong password, that will never be the way they get in.

    You can use a .htacess redirect to point domain.com/author/* to the about page if you want.

  6. droimbai
    Member
    Posted 2 years ago #

    Thank you for your advice, Ipstenu.

    Yes, I understand that security by obscurity is not enough. But I feel that it's one of the things that add up to a site's overall security.

    A strong password is definitely important and I do use a strong one. I just want to make the life of a hacker harder by making the username more obscure. And I don't feel safe exposing my username inadvertently.

    As suggested, I've redirected my site's author link elsewhere.

    But I realized that domain.com/author/author-name is not the place that leaked my username because the page simply displays a list of blog posts attributed to me. So the hacker must have found it some other way.

  7. domain.com/?author=1 - Redirects to domain.com/author/author-name

    If you want to hide it with .htaccess:

    RewriteRule   ^author/(.*)$  http://example.com/  [R,L]

    Dumps everything back to the top of the blog.

  8. sdriedger
    Member
    Posted 1 year ago #

    Having a different nickname than the login name is a good first step. So is redirecting as above. However, if you have someone who is determined enough to go after actual login names, WordPress exposes these for all to see. What we need is a solution that forces the use of the nickname and hides the login name that is associated with that nickname.

    A new registration page that requires a nickname, informs the registrant that this is the name that will be publicly displayed, and then forces the use of the nickname or even firstname/lastname for that purpose would be a good starting point. I know some site admins prefer the use of the person's actual name. Either way, the login name is not the one that is used.

    Fixing the exposure of the login name along with the nickname, which I see as a critical security flaw, should be a top priority. I have been looking for something that will do this or show me how it can be done.

  9. sdriedger
    Member
    Posted 1 year ago #

    The problem appears to be more theme related than WordPress related and has to do with how the code was written to show who the author of a post is. On 2 sites I have child themes based on TwentyEleven. Neither exposes the login name when a nickname is used. Mind you, I can not recall if I changed anything on the related files for the child theme.

    On other sites, using different themes, the login name is exposed when you right click on a post, view page source, and search for author. I will need to contact support for those themes to see if there is a way to lessen this exposure.

  10. WayneM1
    Member
    Posted 1 year ago #

    Does anyone know for sure if this a plugin/theme coding issue... or a WP core issue?

  11. esmi
    Forum Moderator
    Posted 1 year ago #

    Please post your own topic - including full details of any issues you currently have.

Topic Closed

This topic has been closed to new replies.

About this Topic