Still allows visibility of admin usernames

Checking this in a few minutes. I’ll report back and fire up the dev team if needed.

Thanks for reporting this.

tim

I can’t duplicate this with a new version of wordfence and a new version of wordpress. Can you tell me what other login or security related plugins you are running?

tim

Very strange. I tested this on 2 sites yesterday, 2 different hosts as well, one of which was a fresh WP w/ only twentyfifteen installed and the ?author=1 link was still producing a page w/ the author name in the title tag. I even logged out just to be sure that maybe the behavior is different when logged in, but testing today any version of that url does indeed redirect back to the home page and seems as though everything is working as it should. I’m perplexed.

Yeah. I tried logged in and out, with wordfence on and off. I just couldn’t make it happen. It tool me a couple of days to get back to you because I wanted to be sure I was testing correctly to duplicate the issue.

Glad its all working now.

tim

Got another site this is happening on so I’m glad I’m not going crazy here. Whats the best way to PM you the info so you can see this first hand? Thanks again for a really great product btw.

Ah, just discovered that /?author=1 redirects to home page as desired but /?author=2 + does not and reveals the user name if that id exists.

Just verified this and am submitting a bug now. Thanks!

tim

FB708

Please forgive my ignorance with regard to code etc. I have three users on a site. I am the only admin. Wordfence has blocked many attempts to log in with incorrect user names, but recently I noticed it was doing so with actual user names. Is this a setting I need to change or is this the bug fix Tim is submitting above? I don’t think Im hijacking here.. if so please feel free to slap my wrist and I will post a separate thread. Thank you! (btw, the bots/hacks have never tried to login with my username which is listed in the number one slot on the user list)

Yeah, this isn’t related. Anyone that gets blocked gets a specific blocked message that says exactly why they were blocked. Have them screenshot the message so we can see it.

tim

Ok, sorry about that. I’ll start a new thread. It isn’t that my users are getting blocked.. it’s that the bots are trying to log in with correct user names. Im just not sure how they are seeing them or getting them. Thanks Tim!

additionally it appears to be a wordpress issue, not wordfence so I posted in the wrong area entirely. thanks again.

No problem

I believe it is related. The expectation is that the plugin will block attempts at revealing the actual user account names, (author names). In my tests, this is not being blocked and that is why you are seeing attempts to login with real user names. Same issue in my opinion.

I poked around in the general forum for wordpress support. Lots of this popping up in the last year or more. I was unable to get the example.com/?author= 2 to work (sent me to home page) so maybe there is a different exploit out there? The other threads seem to indicate some changes to the htaccess file, but I’m totally afraid to do that at my level of experience.
https://www.ads-software.com/support/topic/disturbing-login-hack-attack-using-real-usernames?replies=14

I’ll bring in one of my coder buds to fix it I guess. Ultimately Wordfence has been alerting me which is good. Passwords are big ones.. so I’m not super worried about the bots getting in.. but it is disconcerting to say the least.

In my situation it’s only real people finding exposed user names and attempting to log in. I agree, the most important thing is getting the reports and being able to block x number of attempts which wordfence is doing very well at the moment.