Similar Username blocking

  • Resolved sarah1777

    (@sarah1777)


    7 years, 9 months ago

    Hi,

    WordFence successfully blocked someone from trying to login to my admin panel. The username they tried was actually REALLY close to my real username. They tried ThisIsmyUsername and my real username is IsmyUsername. I was thinking about adding that longer version to the “Immediately block the IP of users who try to sign in as these usernames” list. Would that lock ME out? Or should I just change my username all together?

Viewing 4 replies - 1 through 4 (of 4 total)

  • Why would you use something so general as your username in the first place?
    That’s sort of like using the password “456789” because you know know “123456” is too easy!
    I would change your username to something more obscure….

    Having said that, having a very strong password (min 12 chars of mixed case alphanumerics and symbols) is MUCH more critical than the username itself.

    Security through obscurity is not really a viable protection vector.

    NOTE: I’m a long-time WF user, and not part of WF support.

    Any Solution for…?

    There are a bad Vulnerability in WordPress / BuddyPress and BbPress…
    First:
    BuddyPress and BbPress shows in Profile @your username, with which you do login, instead of the Nickname. That is very bad! Because your login name is expose.

    If you Right Click on Public Name (in Activity, Posts, Comments, etc.) you can see the Username in:

    https://www.yoursite.com/members/

    https://www.yoursite.com/forums/profile

    https://www.yoursite.com/author/

    So, please, if you know a functions php to resolve this problem…
    Function: Force to Show the Nickname only (based on your first name and last name) in the Links (a.url.fn.n).

    • This reply was modified 7 years, 9 months ago by livingflame.
    • This reply was modified 7 years, 9 months ago by livingflame.

    IMO – an exposed username is not that critical – it’s far more important to use strong passwords.

    Having said that, why expose usernames if you don’t need to, so I don’t disagree with you… but it really isn’t that big a deal.

    WF has the “Don’t let WordPress reveal valid users in login errors” option in Settings that can be set.

    You can also block author scans via htaccess:
    # BEGIN block author scans
    RewriteEngine On
    RewriteBase /
    RewriteCond %{QUERY_STRING} (author=\d+) [NC]
    RewriteRule .* – [F]
    # END block author scans

    There are also plug-ins available…

    But again, it’s not such a big deal. The big deal is ensuring strong passwords are used.

    Thread Starter sarah1777

    (@sarah1777)

    Yes I haven’t though about that, my username shows for authors indeed. Yes my password is remotely impossible to guess. It is really strong so I guess I’ll leave “admin” as the only blocked username. Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Similar Username blocking’ is closed to new replies.

Tags