Admin username is easily found (7 posts)

  1. matbrite
    Posted 4 years ago #

    By appending ?author=1 to your blog url (i.e. yourdomain.com/?author=1) someone can easily retrieve the admin username. Assuming that the default admin account exists and is user #1 in the database, which for the most part would indeed be the case.

    We discovered this after someone spent an hour running a dictionary attack on the admin username, server access logs revealed that they picked it up in one attempt using the above method. They also did the same for the first 10 users. It's not at all ideal!

    Anyway, we have put in a redirect in the htaccess file to prevent this from happening...

    RewriteCond %{QUERY_STRING}  ^author=(.*)$ [NC]
    RewriteRule ^$ http://yourdomain.com/? [R=301,NE,NC,L]

    which bounces any such request back to the home page.

  2. matbrite
    Posted 4 years ago #

    Thanks very much for the link, we have a custom brute force detection script which caught this occurance, but we'll take a further look at that one. It was the easy with which usernames/nicknames could be found which was a surprise. Strikes me as a flaw in WordPress.

  3. Given that most sites actually LINK the authorname on posts? Not really.

    I mean, logically mine's going to be Ipstenu, so people would look at ipstenu.org/author/ipstenu and verify it. It's not really rocket surgery to figure out.

  4. esmi
    Forum Moderator
    Posted 4 years ago #

    The strength of your password is the real key here.

  5. matbrite
    Posted 4 years ago #

    Personally, I wouldn't use an easily determinable name for an admin account, I guess that's preference. Apart from which I wouldn't setup any wordpress install to use actual usernames in link URIs. Anyway, even Worpdress themselves suggest changing the admin name from admin - http://codex.wordpress.org/Hardening_WordPress#Security_through_obscurity

  6. http://yourdomain.com/?author=1

    No point. The best you could do is make user 1 as admin, then make a second as admin and delete the first. It MIGHT thrown them off, but I wouldn't count on it.

Topic Closed

This topic has been closed to new replies.

About this Topic