blocked logins found new admin username

  • Resolved pattycake22

    (@pattycake22)


    1 year, 6 months ago

    I changed the admin username to a new one. Within one month, I already had login attempts trying to login with this new and very unique username.

    My site does not allow anyone to signup or register.

    How are they able to even know what this new admin username is?

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Support wfscott

    (@wfscott)

    Hello, @pattycake22

    Usernames can be leaked via plugins and themes and unfortunately, that is not something that can always be prevented. Overall, the best option is to use an admin username that is not easily guessable (avoid using “admin”), and then focus on your password and login settings from there. I see you mention you’re currently using a unique admin username already, which is good.

    We have a feature in the Brute Force Protection settings (Wordfence > All Options > Brute Force Protection > Additional Options) labeled “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”. I suspect you have this enabled already, but if not, I would recommend it as it can help with this issue.

    You can then focus on securing your login functionality by using a complex and unique password, strong Brute Force Protection settings, and two-factor authentication (2FA). If you’re not running a membership site and just have a few admins logging in (or less), you might consider only allowing 3-5 login failures, 2-3 forgot password attempts, and count those over 30+ minutes (these settings are in Wordfence > All Options > Brute Force Protection). From there, while using a complex password and 2FA, your site will be well protected against brute force attacks.

    If you have any questions, please let me know.
    Scott

Viewing 1 replies (of 1 total)
  • The topic ‘blocked logins found new admin username’ is closed to new replies.