Are Admin Usernames Public? Suggestions needed. | WordPress.org

kempas
(@kempas)

11 years, 1 month ago

I recently moved a site of mine to a new host, and from day one was inundated by Wordfence alerts about attempted logins.

Most of these have been with the standard ‘admin’ username, but a couple have been specific to my site (i.e, actual users). I had already tightened my security protocols in Wordfence, but recently took the step of removing the existing admins, blocking any attempt to log in using some usernames, and creating a new, non-public posting, admin with a strong unique password.

A few days passed without any attempts to log in whatsoever, and then today I’ve received alerts of two attempts to log in as the newly created (and very randomly-named) new admin.

This, obviously, has me scratching my head. Does anyone know if WordPress makes user lists public – either by design, or by user/owner error. Because I have no idea how the name would be known otherwise.

I’m using a secure and unique password, but I’m a little concerned by this whole thing.

any thoughts?

Viewing 1 replies (of 1 total)

Thread Starter kempas
(@kempas)

11 years, 1 month ago

I’ve found this, which appears to report a similar situation:

https://wordpress.org/support/topic/security-hackers-getting-usernames

I’ve also realised that my new admin’s ‘display as’ name wasn’t set to anything different than the actual username. Hence the “yoursite.com/?author=X” makes the username visible.

Tweaked that, waiting for a new attempt…

Viewing 1 replies (of 1 total)

The topic ‘Are Admin Usernames Public? Suggestions needed.’ is closed to new replies.

Tags

1 reply
1 participant
Last reply from: kempas
Last activity: 11 years, 1 month ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics