Support » Fixing WordPress » Hacking Attempts – Hide username?

  • I have the “Login Lock” plugin installed and I regularly receive emails telling me that there’s been a malicious attempt to log in to my site. I’m not usually concerned by this because I have the plugin set to only allow 4 login attempts then ban the IP address for a week.

    Also the attempts usually target the username “admin” which I don’t use. I have a completely unique username and, in the user profile settings, I have it set to publicly display a different nickname.

    Just recently however I have noticed a couple of attempts to login using my unique username which is not publicly visible. How is it possible for someone to discover this username and how can I protect it from being seen?

Viewing 5 replies - 1 through 5 (of 5 total)
  • runnerb0y

    (@runnerb0y)

    The post author and comments author is visible if you look at the source code on a page. I’m also looking for a way to hide/eliminate this information. On my blogs it’s really not needed and when I was running a much older version of WP (3.0.5 I think) I was able to strip this information out. The trick no longer works. 🙁

    Christine Rondeau

    (@crondeau)

    Volunteer Forum Moderator

    Have you looked at the latest code poet resource? – http://build.codepoet.com/2012/07/10/locking-down-wordpress/

    There might some good info in there.

    mvandemar

    (@mvandemar)

    The Codepoet pdf doesn’t contain any info pertaining to that. @runnerb0y, I am not sure which trick you were using, but if you remove all references of the_author(), the_author_link(), get_the_author(), and any the_author_meta() calls that invoke ‘user_login’ (ie. “the_author_meta( ‘user_login’ )” ) from your theme then it should no longer appear anywhere.

    eyesi

    (@eyesi)

    I recently found the answer to this problem. Basically you edit your .htaccess file to include the following line: –

    RewriteRule ^author/(.*)$ http://www.[your domain URL]/ [R,L]

    This prevents people from entering: –

    http://www.[your domain]/?author=1 …?author=2 etc. This will reveal the author’s username but the .htaccess rule will redirect them to the home page.

    The discussion that provided that answer can be found here: –

    wp security checklist

    MickeyRoush

    (@mickeyroush)

    You may want to check out my old post here:
    http://wordpress.org/support/topic/some-wannabe-hackers-found-my-admins-login-any-ideas-about-it?replies=12#post-2826181

    I’m the person that came up with that first RewriteRule. And it doesn’t work against /?author=1

    It works for finding the authors archives, which may or may not be using their username. It maybe using their nickname which can be different if you choose.

    If you want to block phishing the author by ID you’ll need to do something like this:

    RewriteRule \?author=\d+ http://example.com [R=301,L]

    Where example.com is your domain.

    Or just use this plugin:
    http://wordpress.org/extend/plugins/wp-author-slug/

    If you use that plugin, just make sure your Nickname is different from your Username and make sure that your Nickname is the name set to:
    “Display name publicly as”

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Hacking Attempts – Hide username?’ is closed to new replies.