Support » Requests and Feedback » Admin username is easily found

  • By appending ?author=1 to your blog url (i.e. someone can easily retrieve the admin username. Assuming that the default admin account exists and is user #1 in the database, which for the most part would indeed be the case.

    We discovered this after someone spent an hour running a dictionary attack on the admin username, server access logs revealed that they picked it up in one attempt using the above method. They also did the same for the first 10 users. It’s not at all ideal!

    Anyway, we have put in a redirect in the htaccess file to prevent this from happening…

    RewriteCond %{QUERY_STRING}  ^author=(.*)$ [NC]
    RewriteRule ^$ [R=301,NE,NC,L]

    which bounces any such request back to the home page.

Viewing 6 replies - 1 through 6 (of 6 total)
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Admin username is easily found’ is closed to new replies.