Our features site is undergoing a refresh! Be sure to explore the revamped site and discover our latest product roadmap launching here on Monday, March 18th.
New Topic
cPanel & WHM Feature RequestsTopicWeb Applications
Properties
Category Web Applications

Wordpress toolbox - strengthen security by not exposing username

Shane Hollis shared this idea 13 months ago
Needs Review

I am receiving a lot of notifications that dead heads are trying to break into the WordPress setup at example.com using the default user name setup by wordPress toolkit.

12 failed login attempts (3 lockout(s)) from IP 103.136.200.171

Last user attempted: admin_asd56ty

IP was blocked for 20 minutes

This notification was sent automatically via Limit Login Attempts Reloaded Plugin. This is installed on your example.com WordPress site. Please login to your WordPress dashboard to view more info.

This is happening a lot. Yes the login attempts plug in is dealing with this but it should be dealing with crackers who know the login name, especially as it is obfuscated by not using default logins like admin or root etc.

The cause of this issue is as follows:

In WordPress a new user is created using:

  • Username
  • First / Last Names
  • Nicknames
  • Display name publically as:

The toolkit puts the user name into nicknames as well as user name. Nick names can be seen by external scanners and if it is the same as user name then the crackers can attempt a bruteforce using a true user name.

Nickname should NEVER be the user name but another name.

Public name should never be the user name but a completely different name

Suggestions:

1 - Keep user name obfuscated e.g. admin_asd56ty

2 - Do not user admin as the start of the name. it is possible display name publically picks up the bit before the underscore automatically. In example.com the publically displayed name is admin. Thats just inviting crackers to bruteforce using admin as a name. no it wont work but if a hacker thinks the public name might be the same as user name=admin it invites more attempts. Also there is another useful reason below.

3 - Make nickname a user choice - but check it is not the same as username.

4 - Make public name the same as nick name.

5 - Check first and last names are not related to user name.

6 - ADD IN an automatic ban for logins as certain user names e.g. Nickname, first name, last name, public name, and also root, admin, administrator . One strike and blocked.

Finally

Using and obfuscated user name is good security. Well done. Using that as a nick name just hands the obfuscated name to the outside and negates that good work.

1 I like this idea 0  
Leave a Comment
 
Attach a file

cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.