• Resolved lagunas

    (@lagunas)


    Hi!
    I’ve been using this plugin for a while, and recently I started getting emails about IPs being blocked due to failed login.

    This has happened before, with user names that don’t exist.
    Now all failed logins are for administrator users that do exist in my site.
    I currently have 4 admin users, and I found that using this method

    https://www.example.com/?author=ID

    the title of the page displays the nickname chosen, but the url shows the real login name.

    I did a quick search, and I think it has something to do with the user_nicename being displayed by default in the url.
    Is there a way to change this?

    Thank you!!

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 15 replies - 1 through 15 (of 19 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, can you confirm that the admin users are entering the correct logging credentials?

    Thread Starter lagunas

    (@lagunas)

    Yes, I can. In fact, one of them is me.
    I’ve deleted my old user and created a new one, and a couple of days later I started getting failed login emails with the new user.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Do you know if you have carried out any other updates since the issue began? Can you check the log files?

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Hi,
    Are you currently hiding your login page using one of our features?

    Thread Starter lagunas

    (@lagunas)

    Hi!
    I’m not hiding the login page.

    No updates since the issue began, other than wordpress’ auto update to 4.2.4.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi, can you check the log files? Can you confirm that no other file has changed in your website using the Scanner?

    Plugin Contributor wpsolutions

    (@wpsolutions)

    I suggest that you hide your login page and also enable the pingback protection feature. if you do this it doesn’t matter if someone knows your username because they won’t be able to do anything with it.

    Thread Starter lagunas

    (@lagunas)

    Thanks for your answer!
    I can’t tell exactly when this started happening, but today it happened for the first time on another site!
    And this time I know for sure that the only thing that’s changed is the plugin underConstruction

    I’ve used it for years on other sites with no problems, but now it seems to have changed.
    And I’m also using that plugin on the other site.

    Could that be it??

    I did a quick search, and I think it has something to do with the user_nicename being displayed by default in the url.
    Is there a way to change this?

    Do you have phpMyAdmin access to your WordPress database? If so, you can change the field “user_nicename” in the wp_users table. By default, this field is the same as your username except it’s all lowercase and non-URL-friendly characters are removed. It’s the user_nicename that is displayed in author URLs, not the username, so changing the user_nicename value to something different will keep your username from being displayed publicly. See this article for more info. There’s no way to make this change via your WordPress admin.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    @lagunas as @wpsolutions suggested above. Your best bet is to use one of the Brute Force features to hide your login URL. Start by enabling the following option Enable Rename Login Page Feature:

    Thread Starter lagunas

    (@lagunas)

    Will do that.
    Thanks!!

    @lagunas and @jjbte :
    I agree 100% with both of you! In fact, I also raised this concern on the following WordPress post.

    Readers should know that this idea works perfectly, even after Posts have been published.

    Simply log into phpMyAdmin, select your WP database, browser the WP_USERS table, and alter (for every user) the “user_nicename” value to something different than the actual login name .. and, of course, unique across all records in this table.

    In my opinion, this action should be completed IMMEDIATELY after creating a new username .. and certainly BEFORE exposing your website to search engine crawlers.

    I performed a test, by posting TWO articles – one with a WP User “my-test-user” whose “user_nicename” value was the same as their login name. Google results included both articles and, in particular, the article published by the aforementioned user revealed their username as such: https://mydomain.com/author/my-test-user/

    Granted, there are other more promising means to protecting one’s WordPress security (as outlined throughout this post). However, I do not understand why WordPress has not taken measures to fix this “information leak”.

    Totally agree, IRD-dev! When I set up a new WordPress site, I usually create at least an Admin and an Editor or Author right off. I change their user_nicenames right away. I also change the auto-increment on my users table so the IDs aren’t what would be expected or easy to guess.

    I usually don’t create posts under an Admin, or if I do, I make sure to change the author to a user with lesser capabilities. Also, unless I’m creating a blog with multiple authors, I usually remove the post author link from the post meta so it’s less likely to be found by search engines.

    And I put this code in my .htaccess to prevent author queries:

    # Prevent author ID URL queries
    RewriteCond %{QUERY_STRING} author=([0-9]){1,}$ [NC]
    RewriteRule ^(.*)$ $1?author=999999 [L]

    I still use it even though WP Security has Users Enumeration protection built in.

    And of course I take other steps like renaming the login page. And if it’s not needed, turn off XMLRPC (just make sure you really don’t need it for some required functionality). One can never be too safe.

    @jjbte – Good additions to this thread. Thank you. Will also consider your .HTACCESS suggestion, where applicable.

    It’s amazing to me .. look at some of the sarcastic replies that I received on the aforementioned thread from a few “self-professed security gurus”. I’ve worked for global companies and they took EVERY precaution not to have Usernames exposed to the public or even a corporate passer-by. 100% foolproof? Of course not .. but RISK and COMPLIANCE still considered it mandatory. The best option is to cover as many bases as one can, within reason.

    Wow, IRD-dev, some of those posters are not only rude, but also completely clueless! I really had to laugh at the one who didn’t even know the difference between display_name and user_nicename. Yet he was so obviously (and obnoxiously) trying to prove how superior he is. And I couldn’t help but notice he didn’t reply again after another poster called him out on his error. Too funny!

Viewing 15 replies - 1 through 15 (of 19 total)
  • The topic ‘How can I change the user_nicename?’ is closed to new replies.