WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Security (hackers getting usernames) (12 posts)

  1. christopherross
    Member
    Posted 1 year ago #

    I'm running a WordPress website without any public posts published under a specific username, yet a hacker has been attempting to breach the site using that specific username. How?

    Keep in mind, there are no posts or pages published using that account, the site doesn't include an authors page, and there is no publicly published list of accounts ... so, where are they getting the username from?

    Chris

    (and no, it's not a common name, and they've specifically targeted this account, not randomly guessed it)

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    I don't think that there is any way that we will be able to answer this for you. It seems unlikely that the database has been compromised as any half-decent hacker would them target the database itself rather than messing about trying to login as that user.

    Have you checked your RSS feeds?

  3. christopherross
    Member
    Posted 1 year ago #

    Hi Esmi, I'm certain they've not compromised the site as we have reasonable precautions in place. My concern is that they managed to guess the username in the first place.

    We have two sites that the IP address has attempted to infiltrate in the last week, in both cases they "guessed" only one username per site (the account was different for each site), and it was an active administrators account.

    I've scrapped the site with all files that are linked from the homepage, or any subsequent page and can't find an occurrence of any usernames in the HTML. I've also looked at all the feeds from http://codex.wordpress.org/WordPress_Feeds and there's nothing suspect in them.

    It's a mystery :)

  4. esmi
    Forum Moderator
    Posted 1 year ago #

    Have the computers used by either of these admins been scanned for malware etc? There's a possibility that a compromised machine could have leaked some details.

  5. What do you have set as your "Display Name" for the account? The Display Name is what will get shown as the "author" for all posts published on the site.

    It's also possible that they found it via the author archives: http://yoursite.com/author/{username}. Those are always public.

  6. christopherross
    Member
    Posted 1 year ago #

    @emsi Anything's possible =, but the two sites being attacked are mid range properties with moderate traffic, not our high (or low) traffic sites. It appears isolated to these two sites, and they don't have passwords (just the usernames) which would tend to rule out a sniffer.

    @pippin That was my first thought, and highly likely except the sites used different usernames. In the first case they knew to attack christopherr (as an example) and the second they knew to christopher (also an example).

    I guess my concern is that somewhere there's a list of usernames being made available through a back channel, but that seems ridiculously unlikely.

  7. Is your name shown anywhere on the site? If your name is public on the site and your username matches or is similar to your name, then it doesn't seem unlikely at all that it was simply a good guess. Kind of like guessing that the username on my PippinsPlugins.com site might be pippin, pippinsplugins, or something of that variation.

  8. christopherross
    Member
    Posted 1 year ago #

    Thanks Pippin, it's a weird one.

    There's no forward facing use of the name that I can find either in a full site search or a full offline download. No author page, no links, posts, or pages associated with the account.

    The problem is that either they got the name from the site, or they successful guessed the first name/initial letter combination of a developer without knowing who the developer was from the site.

    Clearly there's got to be something but it's a mystery to me.

  9. christopherross
    Member
    Posted 1 year ago #

    Found it. Actually David found it, but he was kind enough to show me the exploit. For obvious reasons I'd rather not share here. Chris

  10. Dave Naylor
    Member
    Posted 1 year ago #

    Ah, so it was as I suspected. If anyone's interested, [Redacted].

    Glad to have helped anyway.

  11. bitpath
    Member
    Posted 7 months ago #

    I just noticed this too for a site that has no public posts from many the usernames being used to attempt to access.
    Whoever "hacked" this site was able to get a list of usernames to attempt to log in with, but not the passwords it seems by the numerous attempts to access the site using a list of valid usernames. This is a site with only a dozen users so it was very obvious they were able to get the usernames and not passwords. I do not have buddypress activated on this site or anything I think would normally produce a member user list for public access.
    I will try to email Dave to see if he can shed any light or how I can close this vulnerability. I am currently checking for changed files but on the surface it seems like they were only able to pull a valid list of usernames.

  12. Andrew
    Forum moderator
    Posted 7 months ago #

    Sorry that Dave gave you the impression that these forums provide one-on-one support, that is not the case and I've redacted his email.

    If you cannot find the right answers in people's threads (you have brownie points for searching first) then I'd recommend you create a new one about your issue: http://wordpress.org/support/forum/how-to-and-troubleshooting#postform

Topic Closed

This topic has been closed to new replies.

About this Topic