WP & brute force attacks – user_login & user_nicename
-
Hi everyone,
I’ve been having issues lately with brute force attacks on a WordPress site I manage.
To deal with the problem, I installed WP Security, which I then used to add a CAPTCHA to the login page, blacklist some IPs, and get a list of failed login attempts.
Because of the failed login log, I realized whoever was doing this obviously had the right usernames for our admin users (since none of them are the default ‘admin’). This is easy information to get, I know, since the theme we’re using creates author pages, which can be used to infer the usernames from.
To mitigate the brute force attacks, I decided to update the usernames in the database, so that the bots couldn’t log in. When doing so in phpMyAdmin, I noticed two separate columns – user_login and user_nicename. After a bit of reading, I decided to only update user_login, leaving user_nicename in its original form and thus leaving the author page URLs intact. The brute force attacks are now registering as ‘failed login: nonexistent username’, while the author pages are still working with the ‘old’ usernames. So here’s my question:
tl;dr can changing user_nicename in the DB have any negative consequences? If not, is it a reliable way to mitigate brute force attacks when author pages are visible within a site?
I would very much appreciate your thoughts on this, as well as any experience you can share on dealing with brute force attacks and hiding usernames in WP.
Thanks!
/simonast
The topic ‘WP & brute force attacks – user_login & user_nicename’ is closed to new replies.