Support » Fixing WordPress » Spike in Username Login Attempts

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    I don’t recommend looking into that and second guessing the underlying intentions of the hacker. That’s going to consume a lot of time and with no useful outcome.

    A spike of people trying to hack your site is not a security issue. You may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Moderator Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    I know I’m going to regret this, but usernames are not secure and the act of making them secure is also not worth investing time into. Since that plugin has a feature to hide the username, you’re facing an issue with the feature of that plugin. A pointless feature in my opinion, but you can discuss it on that plugin’s support forum.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to Fixing WordPress, this is not an Everything else WordPress topic.

    I don’t recommend looking into that and second guessing the underlying intentions of the hacker.

    I totally agree. The uptick in those events do not matter. It’s just background noise and you’ll just hurt yourself looking at those attempts.

    If you’re worried about admin accounts then consider enabling 2FA for those accounts.

    I use this one.
    https://wordpress.org/plugins/two-factor/

    There are others.
    https://wordpress.org/plugins/search/two+factor/

    So I guess my bigger question is, with the security measures I had in place as described in my original post, how did someone obtain the username?

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    They guessed? They found a post where it’s revealed in the HTML?

    It really doesn’t matter. Usernames are not assumed to be secret. That’s just the identity portion and you must assume it’s not and never has been unknown.

    The security is in your strong password and where applicable 2FA. That is the part you keep secret and need to protect.

    The experts here are the experts here for very good reasons, and I hesitate to disagree with them, but … I absolutely refuse to accept that my website being constantly attacked by malicious login requests is somehow normal. So … WPS Hide Login to obfuscate my login page, Edit Author Slug to hide my username, and CloudFlare page rules and/or firewall rules to keep malicious login attempts completely off my site/server. Yes, a determined hacker could still find and use my username, but I am much more concerned with bad bots. That said – strong password is essential – 2fa is good idea.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.