Feature Idea – Instantly lockout anyone that tries "admin"

I’d like to second this and actually came here to suggest just that.

Auto-lock anyone trying “admin” or any specifiable user … no matter if the attempt was successful or not.

So… this is a bit funny since this was originally my idea, but thinking more about it it’s probably unnecessary.

The point of LLA isn’t to prevent 5 failed login attempts vs 1, It’s to block 1,000’s of login attempts. Pretty much any server should hold up to 5 attempts from a single IP.

So while, I still think this would be “cool”, not sure it’s actually very beneficial to add.

Well – I think it’s a good idea. The main hack attempts I get are to admin, Administrator, test, and the main blogging account.

I’d further mention that it would be useful to display the date in the logs. Very useful that it shows the log but without the date, theres little context.

One thing I find really odd is the fact that these hackers seem to know the publishing authors of the articles. I looked at the source code of my sites but can’t find anything.
Wherever this data is, wouldn’t it be an idea to either NOT publish that data or if, then use a different “author”?

Mores:
Most blog articles display the authors name. This often matches the username but thats easy enough to change in Users

@mores – enumerating all the user name from a site is pretty trival. Malicious login attempts using “admin” are just to lazy to even try to get a real user name.

For example from the 2014 demo site, author’s name link has usename in the url:
https://cloudup.com/clR3ceYb-vn

There are scripts that automate scraping those.

@david, @jon: We have a pretty heavily customized theme that displays authors, but without the email address.
The interesting part: these are the true literary authors, but the wp-user who’s actually uploading it is a different person.
And these “hidden” editor accounts are the ones being targeted.
Admin too, of course, but all the other wp-editors who contribute. So an article says “Author: Dr.Med.PDH John Doe” but it was actually “editor-steff” who uploaded it. And “editor-steff” is who’s being targeted.

So I’m wondering as to where someone would find out that “editor-steff” is the “author” that wordpress has stored in the DB. Maybe in a feed? Is it because WordPress is communicating our posts (all different CPTs) somewhere?

PS: Thanks for the replies!

Hi Mores
Keep in mind that the bots don’t look at the displayed page, they look at the code. Something in there is going to tie the author name to their profile. Apparently not just in the database. Not sure how that’s done in WP but I notice a lot of author references in the code. Some of that is theme, some WP.

And yes, WP communicates the posts a number of ways, depending on how you’re set up. The default goes to 2 ping sites for example plus RSS feeds.

WP is set up to communicate and advertize posts.

The key of course for any editor plus accounts is strong passwords. You should never assume the account can’t be pinged or something. If it’s on the web, it’s not hidden.

I had a staff member once rather upset a competitor. He was curious about their code, so he downloaded their entire password protected site. They saw the traffic and when they realized it was a competitor, had a bird.

Thanks for trying to help, David. I did check out the source code, both the theme and the stuff that gets rendered to the visitor. (I built the theme, btw)
That’s why it’s so frustrating. I am positive that there is no normal way of extracting the system editors when we took all precautions to prevent just that – and now they’re the only ones being brute-force attacked.

Imagine my joy when I recently discovered one of our editors using a 3-letter password!
She changed it from the super-secure one I set up >:-(

I’ll have a go at ping settings and I can imagine that maybe even the google sitemap plugin might show more than it is supposed to. Thanks for the pointers!

I just came here to suggest the same feature! And here it is – right on top!

Most of my failed attempts are under user ‘admin’ which is NOT my admin name…

BTW: I simply deleted (actually only ‘commented out’) the function that displays “Posted by” on top of my posts – so it’s not there to exploit. This is saved in my ‘child theme’, so future theme updates don’t overwrite it. I realised it was the first weakness giving away my ‘real’ username as admin.

I have an ‘Author Box’ below each post which is linked to Gravatar accounts (not the WordPress user accounts!) – that should suffice.

A user in the German WP forums posted some code for wp-config.php to directly redirect login attempts with “admin” and similar to a protected directory: https://forum.wpde.org/allgemeines/137958-brutforce-angriff-auf-admin-login-diesmal-mit-korrekten-usernnamen-3.html#post597020

Then you can read the IP addresses from the error log file of your server so you can blacklist them.

Here’s the fix to lock out admin (and other hacker script guesses) on the first attempt.

Modify function limit_login_failed by adding some code after this block:

/* Check validity and add one to retries */
	if (isset($retries[$ip]) && isset($valid[$ip]) && time() < $valid[$ip]) {
		$retries[$ip] ++;
	} else {
		$retries[$ip] = 1;
	}

Add this code:

$lowerUser = strtolower($username);
	$kcsrvr=explode('.',$_SERVER['SERVER_NAME']);

	$badnames=array('admin','administrator','support',$kcsrvr[0],$_SERVER['SERVER_NAME'],'{domain}','sysadmin','root','webmaster','anonymous','test',$kcsrver[0].'-poster''%firstuser%','adm','demo','webadmin','user','no-matches');

	$badname = in_array($lowerUser,$badnames);

Then to this line

/* lockout? */
	if($retries[$ip] % limit_login_option('allowed_retries') != 0) {

add && !$badname like this:

/* lockout? */
	if($retries[$ip] % limit_login_option('allowed_retries') != 0 <strong>&& !$badname</strong>) {

oops! remove the … tag in that last code since that was an accidental click of bold on the code.