Hacker guessed correct superadmin user name… how?

  • Resolved Q2Associates

    (@q2associates)


    10 years, 9 months ago

    I have recently received a WordFence email alert telling me that a login attempt had been blocked – nothing unusual there.

    What is disturbing about this one, however, is that the attempt uses the correct superadmin username. Now that is really weird, as I’m using an (effectively) unguessable username… so how did the would-be hacker get hold of it?

    I have checked the site and nothing is broken. A WordFence scan looks fine. There have been no actual logins other than my own. So it appears that the username is known, but the password is not.

    I have since changed the username (by using these instructions: http://premium.wpmudev.org/blog/change-admin-username/)

    Possible vulnerabilities: The username is stored on my iCloud keychain, and also in a PassDrop file which is on my DropBox account. I do occasionally log in from a shared Wifi network at work. None of these seem particularly insecure to me… and yet it must have leaked somewhere!

    My question is this: What is the most likely source of the leak, and how can I best prevent it from happening again?

    https://wordpress.org/plugins/wordfence/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author WFMattR

    (@wfmattr)

    10 years, 9 months ago

    If none of the three source you mentioned are likely, it’s possible that the theme or some part of WordPress is leaking the username. Some themes list each page creator’s username in the classes of the <body> tag, or another part of the page structure. I have seen this happen with admin accounts, but I’m not that familiar with multisite, so I don’t know if it would apply, unless the super admin “owns” some pages — if you visit a page on your site (while not logged in) and view the page’s source, you can try searching for the (new) admin name, and see if it appears anywhere.

    Another possibility is that they picked up the admin username before Wordfence started blocking discovery of usernames with “/?author=N” scans (or this feature is not turned on, on your site).

    It might also be possible that your server stores some logs in a way that they are publicly accessible or can be found through an insecure ftp setup, or even that one of the plugins has a method of showing users (either on the front end, or through a bug).

    Thread Starter Q2Associates

    (@q2associates)

    10 years, 8 months ago

    That is a very interesting suggestion, WFMattR – thanks. I will investigate further. There is a corresponding Admin account, so it could have leaked that way.

    Edit: Yes, the username is appearing in the page source. Not only that, but it has changed to my new username. Now I need to know how to fix that. Grrr….

    WFSupport

    (@wfsupport)

    10 years, 8 months ago

    You’ll likely have to take that up with the theme creator. Make sure your display name is set different than the super admin login name in the super admin’s profile.

    tim

    Thread Starter Q2Associates

    (@q2associates)

    10 years, 8 months ago

    All fixed now 🙂

    1. Created a new username, with editor access (but not admin or superadmin)
    2. Reassigned all the existing pages and posts to the new username
    3. Checked the page source, which no longer reveals the admin/superadmin user name

    Many thanks for the help – I wouldn’t have thought to look there!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Hacker guessed correct superadmin user name… how?’ is closed to new replies.