Support » Fixing WordPress » Brute Force Attackers Know My Registrants' Usernames

  • Olivia



    I wanted to bring this up to your attention.

    In the last 2 weeks or so, the attackers have been using the “usernames” of the people who registered “through WP” relentlessly. That is in addition to attacking using a guessed “admin” username. So far, with the security plug-in I have installed to its full extent, my blog site has not been breached. (All-In-One WP Security & Firewall — An excellent plug-in!)

    But, here is my concern . . . Are they getting the “usernames” through WP registering system? If so, no matter what I would do to secure my blog site, it would be in vain.

    Is this a common thing that I am experiencing?

    Is there anything else I could do to prevent this?

    Thank you for your response.

Viewing 2 replies - 1 through 2 (of 2 total)
  • I’ve not heard of that, though thinking of how this could happen a couple things come to mind. Can your registered users posts and are their names listed as author along with the posts if the can (this wouldn’t be the username, but a user’s screen name might be guessed from that). I’d think if someone was sniffing open traffic (non-SSL), they’d get the password too. Or since passwords are encrypted in the database, maybe usernames were obtained somehow.

    That all said, I’d just harden the site down even more and add additional security specifically for brute force attacks in general. I always use one of the many login lockdown plugins, or more lately, I just use that feature in Better WP Security.

    Codex: Brute Force Attacks



    Thank you for your input, Doug.

    The registrants do not have any access to my site. They registered through WP registration, it seems. When they do that, their names are listed as “Users” for some reason. None of them are allowed to post anything, except comments. So far, there has been only one of them who has posted the comment.

    They are not “guessed” and are exactly as they are.

    They are stealing them from “somewhere” and it is not from my admin site.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Brute Force Attackers Know My Registrants' Usernames’ is closed to new replies.