Security hackers getting usernames

  • Resolved SussexCounty

    (@sussexcounty)


    10 years, 8 months ago

    My WordFence plugin logs a good number of hack attempts using existing usernames. Since I don’t show usernames on the pages I’d like to know how to block hackers finding those out.

    I found an old thread where member christoperross stated “kind enough to show me the exploit. For obvious reasons I’d rather not share here.”

    Old thread URL:
    https://wordpress.org/support/topic/security-hackers-getting-usernames

    I’m very interested in understanding this exploit so I can make the fix on my site, but I don’t see how to privately msg christoperross. Is that doable in these forums, or has this exploit become well known so someone else can share any fix with me?

Viewing 3 replies - 1 through 3 (of 3 total)
  • AGSoft

    (@agsoft)

    10 years, 8 months ago

    There is no PM system in place here as it dilutes discussion.

    I’m not aware of any long standing exploits regarding usernames being visible. Although admittedly it wouldn’t be much of an exploit. Could you provide a link to your website? I’ll give it a quick look to see if I can see any visible usernames.

    Thread Starter SussexCounty

    (@sussexcounty)

    10 years, 8 months ago

    (slaps head) I see it now, sorry for the interruption.

    http://www.sussexcountyclerk.org

    AGSoft

    (@agsoft)

    10 years, 8 months ago

    It looks like you set all of the display names to County Clerk (where possible). That’s great and all but display names does just as it says; it just displays. For other users, such as for permalinks, the username is used. As such I can easily tell that one of your authors is named after a certain god of thunder.

    The best you can do is just hide the usernames on the posts or if possible, just use one account(a very low permission account) for posting. Anything beyond that is kind of overkill. A username honestly doesn’t do much for anyone. They still need to figure out the password and if you use a good strong unique password they’ll never figure it out.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Security hackers getting usernames’ is closed to new replies.