Skip to main content

Wordpress Brute Force Attacker knows real admin Username - [Resolved]

I've noticed a brute force attempt on several different Wordpress installs that know the right admin user name for those respective sites...

It seems very strange that the hacker would be able to find the username but not the password... Furthermore, I've checked these Wordpress builds, and I do not see where they are leaking that information anywhere - albeit that is likely the answer...

While I am not worried about the attacker getting through thanks to a whitelist I've already implemented - I am concerned that whatever vector this hacker is using could be used to obtain more sensitive information.

Thank you for any suggestions - !

Question Credit: rm-vanda
Question Reference
Asked March 25, 2019
Posted Under: Security
4 Answers

I had the same problem and blocked the requests for the author scanning with the following htaccess:

# Stop Author Scanning
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

credit: Roger Burkhard
Answered March 25, 2019

Recently I have found different path of username leakage.

By default the Yeast SEO plugin makes author-sitemap.xml available with list of authors. This behaviour can be turned off in Search Appereances -> Archives.

credit: Jan Drábek
Answered March 25, 2019

By defualt WordPress usernames are not a secret by any means. As the other answers point out there are many ways of finding the usernames either by URL or even inside the content of the page itself (author class names).

There are numerous methods of hiding usernames and/or fighting against brute force attacks, but the simple answer to your question is that unless you have gone to some length to block usernames from being visible then the default for WordPress is that usernames are not kept secret and are easily visible.

credit: KnightHawk
Answered March 25, 2019
Your Answer