How Did They Get My WordPress Username?

I currently manage over 50 WordPress websites and have the ‘Limit Login Attempts’ plugin set to send an email whenever anyone tries to log into one of these sites and fails. It doesn’t take long for a new WordPress website to go through its first brute force login attack. When this happens, I monitor the attack and watch the usernames attempted. Almost every time, the usernames attempted are: admin, test or a variation of the site name. So please, do not use one of these usernames on your WordPress website. The Limit Login Attempt plugin locks out attempts by IP address, however, when a brute force login attack is underway, your site will be hit with thousands of different IPs, giving hackers many attempts to try different passwords.

lla

Hey, that’s my real username

One day I noticed a login attempt on a website with my real username – and it was not me. I know it was not me because I am asleep at 3:00 am. The username I used was not common, nor was it easily guessable. There were not any other random usernames attempted. Somehow someone got my real username. I build my own themes and do not display the username in any templates or anywhere on my sites. I felt violated and a google search was not helpful. I found the Yoast SEO plugin was publishing a user sitemap, which had my username in the paths. YIKES! I quickly went through every site I manage and turned off the Yoast SEO user sitemap (first option on the XML Sitemaps settings page). I thought I figured out how my username was detected. I changed my username on that site and moved on.

A few months later, I noticed again, someone attempted to log into the same website with my new username. I verified my user sitemap was still turned off in the Yoast SEO plugin. I was told there are many ways a hacker can find your username on a WordPress website. I asked how, but was not given any answers. And then I found a tricky little URL that when Permalinks are turned on, redirects to a URL that includes usernames. That URL: /?author=N. Replace N with a number corresponding to your user ID. Don’t think removing the first user created in WordPress is going to save your butt. Changing the ‘N’ to a 2 or higher will display other usernames.

How to Protect Yourself

If your site is hosted with Apache, you can add the following to your .htaccess file to stop the author permalink redirect. Replace google.com with your website’s homepage or any other website you want to send nefarious users to.

RewriteCond %{QUERY_STRING}  ^author=.+$
RewriteRule (.*)  http://www.google.com/? [R=301,L]

If you host with a WordPress specialized host that doesn’t use Apache (usually they use Nginx) or let you edit your .htaccess files, you’ll need to contact your host and ask them to make this change for you.

There is also this handy little plugin that will Remove Author Pages and display a 404 when /?author=N is attempted.

I use safe passwords. Do I need to worry about this?

To me, knowing your username is knowing half the puzzle. Once a hacker has one constant, they only have to change one variable to attempt access to your website. Yes, Limit Login Attempts helps to limit the number of attempts, but over time and with enough IP addresses, they can try out thousands and thousands of different passwords. Definitely use long, difficult to socially engineer passwords (for heaven’s sake don’t use child or pet names you tweet about). But also keeping your username out of hackers hands, adds another security block and should aid in keeping your site secure.