13

I've noticed a brute force attempt on several different WordPress installs that know the right admin user name for those respective sites...

It seems very strange that the hacker would be able to find the username but not the password... Furthermore, I've checked these WordPress builds, and I do not see where they are leaking that information anywhere - albeit that is likely the answer...

While I am not worried about the attacker getting through thanks to a whitelist I've already implemented - I am concerned that whatever vector this hacker is using could be used to obtain more sensitive information.

bad_coder
  • 129
  • 4
rm-vanda
  • 257
  • 2
  • 7
  • 5
    They may just be taking a look at the author profile list for the user with an id of 1. [WordPress Username Exposed?](http://wordpress.org/support/topic/wordpress-username-exposed) This would expose the username for the first account created, presumably the admin user, but nothing else of substance. – Xander Aug 27 '14 at 21:19
  • It is, in fact domain.com?author=1 that is leaking the info. – rm-vanda Aug 28 '14 at 15:16
  • Well, this actually may not be the answer but FYI penetration testing software like kali have inbuilt wpscan tool which can enumerate the username, themes and plug-ins used and can list the vulnerabilities in those plug-ins and themes. Remaining brute force attack can be done by using any tools found on Web. Here, I am not saying kali is bad but it can be easily misused by scriptkiddie. – Prakash Aug 28 '14 at 16:34
  • I found this link to be very useful to prevent various common attacks on wordpress. http://blog.qburst.com/2015/04/how-to-secure-wordpress-and-protect-your-blog/ – Anonymous Platypus Jun 10 '15 at 09:53

4 Answers4

8

I noticed this as well and wrote a blog post about it a while ago: wordpress username leak. To summarize:

The leak is probably here: example.com/author/user_nicename. This page can for example be reached via example.com/?author=1.

WordPress has three username related fields in the database: username, nickname, and user_nicename.

username is the name with which you log in, nickname is the name which should be displayed, and user_nicename is the slug version of username, which is used in the author link.

To fix this, you can set user_nicename to nickname in the database.

tim
  • 29,018
  • 7
  • 95
  • 119
5

I had the same problem and blocked the requests for the author scanning with the following htaccess:

# Stop Author Scanning
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
Roger Burkhard
  • 151
  • 1
  • 2
2

Recently I have found different path of username leakage.

By default the Yeast SEO plugin makes author-sitemap.xml available with list of authors. This behaviour can be turned off in Search Appereances -> Archives.

Jan Drábek
  • 21
  • 1
1

By defualt WordPress usernames are not a secret by any means. As the other answers point out there are many ways of finding the usernames either by URL or even inside the content of the page itself (author class names).

There are numerous methods of hiding usernames and/or fighting against brute force attacks, but the simple answer to your question is that unless you have gone to some length to block usernames from being visible then the default for WordPress is that usernames are not kept secret and are easily visible.

KnightHawk
  • 719
  • 3
  • 10