Recently I've had brute force attack attempts on some of my WordPress sites and the attackers are using actual usernames other than the default admin (which was removed).
How is it possible for them to know the usernames in a site's database without administrator privileges? (assuming they didn't get it from me directly using malware)
What are ways to prevent this from happening?
btw: All of my sites use the current version of WordPress.
Thanks for your help!
There are open source tools such as wpscan, that allow for enumeration of wordpress usernames.
To stop it you could try something like this WordPress plugin which claims to be able to stop wpscan's username enumeration
I'm not sure how your site is configured - but one thing to double check is that that the names that are posted up along with blog posts are not the same as the posters login id.
I'm not sure if it's still possible but at one time it was possible to enumerate users by just ticking through each author:
myWordPressSite.com/?author=1
myWordPressSite.com/?author=2
...
I don't use wordpress enough to know if this is still possible, but it couldn't hurt to see if this works on your site and if it does I would lock that down.
I can suggest you to update your version wordpress, update your template, your plug-ins and change password of all admin.
Another thing, you can install plug-ins 'WordPress Security', Wordfence (prevente you and banned the ip of attackers after 1-3 false password and bruteforcing session).
