How to Protect Admin’s Username From Imitators

  • Resolved Bill Kochman

    (@wordweaver777)


    6 years, 3 months ago

    Hello. This may seem like a silly question, but I thought I had better ask first, before I do something which might block me from my own blog.

    I run my own self-installed WordPress on my own server at home. So, I never have to administrate it remotely. It is all done locally.

    My question concerns the ban/block username feature.

    While I am normally always logged in to my blog, on occasion, I am logged out from the same. During the times that I am logged out, there is the possibility that someone else might somehow discover my username, and try to log in with it. I am talking about a remote login attempt, not a local login attempt.

    So my question is this: As the admin of my blog who uses 127.0.0.1 — or ::1 — can I add my own username to the username ban list, in order to prevent others from using it, or will doing that block me as well?

    In other words, is the local admin — and his loopback address and LAN IP address — automatically exempt from the ban username list?

    If not, what must I do to protect my username from being used by someone else from a remote location?

    Thanks for your attention.

    • This topic was modified 6 years, 3 months ago by Bill Kochman. Reason: typo
Viewing 8 replies - 1 through 8 (of 8 total)

  • What we do is have admin user accounts that are not public, never used as the author credit on a post, and of course not possible to guess. Combined with WPS Hide Login, as well as the brute for Wordfence protection and reasonable passwords, that would seem to be enough. Add regular redundant backups, stored off site, and things start getting quite secure. Add some country blocking for spice… MTN

    Thread Starter Bill Kochman

    (@wordweaver777)

    Hello, MTN. Thanks for the security tips. I already implement some of those as regular practice, including two daily, full backups of my entire blog, including databases.

    However, you didn’t really address my question regarding this plugin. That is, can I, or should I not, add my own username to the plugin’s ban list, so that no one else can try to use it? Will doing that ban me as well, or does the plugin recogize by my loopback address — 127.0.0.1 — that I am the rightful admin?

    Hi Word, first, on the All Options page in Wordfence, “Whitelisted IP addresses that bypass all rules” if you have a static IP address. I’d assume you can then add your Username to the ban list and not get blocked if you’re coming from the listed IP address. For testing this sort of stuff we use two things that help. First, we always have a VPN service available so we can access under a different IP, second, we have several admin accounts, if one gets blocked we have the others available. We’ve found the best way to answer questions such as yours, and be totally certain on the answer, is to do our own definitive testing. MTN

    Thread Starter Bill Kochman

    (@wordweaver777)

    Well, while I do have a static IP address, being as I am logging in to my blog from the same machine that the blog is hosted on, I would think that WordFence sees my loopback address — 127.0.0.1 — or maybe even my internal LAN IP address, and not my external IP address, right?

    While I could add all three IP addresses to WordFence’s whitelist, and maybe even add a second admin account, I am still not comfortable with the idea of adding my username to the block list, because I do not have a VPN. So, due to the uncertainty, perhaps I should just leave things as they are.

    Yeah, sometimes it can get to be a bit much, perhaps just do plenty of redundant backups, stored offsite, and move on to spending time creating content. I struggle with that balance constantly. On the other hand, if you’re at all serious about adjusting Wordfence and pen testing, a VPN in my opinion is an important tool. At the minimum, having an additional admin account in reserve is in my opinion an essential tool. If you don’t author any posts with it, and use a hard password and cryptic user name, as far as I know an extra account is not an additional security risk. Have done it for years on several WordPress sites that are constantly attacked. MTN

    Hi @wordweaver777!

    You can not add your own username in the banned usernames list. Well, technically you can but it won’t take effect as Wordfence will not block legitimate usernames.

    If your username leaks out it would typically be happening via your theme. Wordfence has functions that protect your username from leaking via the author page but some themes show the username in other places.

    You would be able to tell if attackers know your username because you would see lots of failed logins with your username in the login log on the Firewall dashboard.

    The best way to protect your login is to use a secure password and two factor authentication. You should not be using the same password in your WordPress installation as you’ve used elsewhere and the password should be a long set of characters that is difficult to guess.

    Hope that helps!

    Thread Starter Bill Kochman

    (@wordweaver777)

    Thank you, wfasa, for the info and tips. I appreciate it. I in fact already implement those security measures, so I guess that there is not much more that I can do at this point.

    Hi again @wordweaver777,

    That sounds great. Agreed, you shouldn’t have to do anything more then at this point. One last thing though – if you want to, you can tweak the Brute force protection settings in Wordfence. These can be optimized based on the type of site you are running. For more info see this Brute Force protection guide on our blog.

    Resolving this for now but if you have any other questions or concerns, feel free to start a new thread at any time. Best of luck with your site for now!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘How to Protect Admin’s Username From Imitators’ is closed to new replies.