locking out users with no login attempt

  • kparker2213

    (@kparker2213)


    7 years, 4 months ago

    I am trying to better understand the plugin and why it is locking out specific users who are not attempting to login. These are internal users. Is it possible our usernames are getting leaked to bots etc… ?

    thank you!

Viewing 7 replies - 1 through 7 (of 7 total)
  • nlpro

    (@nlpro)

    7 years, 4 months ago

    Probably. Post a link to the site in this topic and I’ll have a look at it.

    Thread Starter kparker2213

    (@kparker2213)

    7 years, 4 months ago

    thank you!!
    https://setseg.org

    nlpro

    (@nlpro)

    7 years, 4 months ago

    Ah, ok.

    I was able to find 2 accounts by using a technique called user enumeration. So yes the site is leaking user info. It’s a standard WordPress feature as WordPress considers users not to be private info just like email addresses.

    Additionally the users endpoint of the WordPress REST API also returns all users … (https://setseg.org/wp-json/wp/v2/users)

    The iTSec plugin includes security features to protect your site from both methods of user harvesting. Clearly these features are not enabled. Note that since these accounts have already been harvested enabling the right plugin features won’t be enough. Enable the plugin features first and then rename the accounts …

    Oh one last thing, the site currently seems to be using the 7.1.0 iTSec plugin release while a newer release (7.2.0) is available.
    So it’s recommended to update the plugin to the latest release 😉

    Thread Starter kparker2213

    (@kparker2213)

    7 years, 4 months ago

    awesome, thank you so much! I will rename the accounts after turning on the appropriate settings, can you tell me which section that is in within settings? there are so many settings for this plugin! thank you!

    Thread Starter kparker2213

    (@kparker2213)

    7 years, 4 months ago

    also, it concerns me that isecurity can write to my ht access and wp-config files, what all will that entail?

    nlpro

    (@nlpro)

    7 years, 4 months ago

    Click on the Show Details button of the Security Check module. Then click on the Secure Site button.

    This will enable and configure the modules listed.
    Click on the Close button to return to the Settings page.

    The module you should focus on after the instructions above is the WordPress Tweaks module.

    So scroll down a bit and click on the Configure Settings button of the WordPress Tweaks module. Scroll down to the REST API setting. Notice this is currently set to Restricted Access(Recommended). So the previous Secure Site action has already taken care of this.

    Next scroll down a bit more and tick the Force Unique Nickname and Disable Extra User Archives checkboxes.

    Finally click on the Save Settings button.

    • This reply was modified 7 years, 4 months ago by nlpro.
    Thread Starter kparker2213

    (@kparker2213)

    7 years, 4 months ago

    you’ve been awesome, thank you so much for your help!!

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘locking out users with no login attempt’ is closed to new replies.