Admin username found – IP blocked

Hello,

Hackers are sneaky. Are all your themes and plugins up-to-date? Holes can be introduced there. You may want to create a new admin user and decommission the user that was discovered.

-Brian

Thanks. Everything is up-to-date, and I’ve already decommissioned the admin user, of course. I’ve tried all of the usual suspects (looking for author ID, etc.), but haven’t been able to hack to find the admin username myself. Scans find no malware… Have a ticket in to the hosting company… have a feeling it’s on their end. The site is really just a testing site, so it’s not critical, but I’d like to know where the hole is anyway! Will report back if I find out.

Are any of the posts by the admin user (even the default Hello World post)? Check the author. Also check “uploaded by” tag on images/media. Easy to forget but also easy for a hacker to see.

tim

Well, that was dopey… yes, posts were by admin user, and it showed up in source code, even though front end display is off.
A theme problem, right?

<header>
      <h1 class="entry-title">Hey — Where’d my toolbar go?</h1>
      <div class="subhead">
    <span class="postauthortop author vcard">
    <i class="icon-user"></i> by <a href="https://mysitename.com/author/adminusername/" class="fn" rel="author">D D</a> |</span>