someone keeps trying to log in to my site and knows my username HELP!

  • Resolved Sandi

    (@sandi149)


    4 years, 4 months ago

    Hi,

    The past week or so I have noticed that someone or a bot is trying to log in to my site and who found out my username. I have no idea how they found this out but this is very upsetting to me. Wordfence has locked them out but they keep trying to get into it. I tried blocking their IP but I believe they are using a few different ones. Any advice is appreciated on how to stop this!

    Thank you,
    Sandi

Viewing 7 replies - 1 through 7 (of 7 total)

  • First you can use een new username but you need an extra e-mail adress and then make the original username just a simple user thus no administrator.
    Or you can make the password extra strong so use a password manager.
    I know the feeling because I had the same situation.

    You can definitely use the method @pjw303 described. We also have a feature in the Brute Force Protection settings that says “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”.

    On a WordPress system, it’s possible to discover valid usernames by visiting a specially crafted URL that looks like one of these:

    • example.com/?author=2
    • example.com/wp-json/oembed/1.0/embed?url=http%3A%2F%2Fexample.com%2Fhello-world%2F
    • example.com/wp-json/wp/v2/users

    Enabling this option prevents hackers from being able to discover usernames using these methods. This includes finding the author in the post data provided publicly by the oEmbed API and the WordPress REST API “users” URL that was introduced in WordPress 4.7. Please note that some themes can leak usernames and we can’t prevent username discovery when a theme does this. We recommend that you keep this option enabled regardless.

    Also, make sure that on your user profile page that the value for Display name publicly as is not set as what it says in the Username field. I usually try to make them completely different so it’s not easy to make an assumption of the Username would be. For example if your Display name is Anne Jenkins I can guarantee that at least one attempt (or several hundred) will be ajenkins. Also don’t use admin, the site name or domain, etc.

    There are plugins that allow you to change your username since WordPress doesn’t include this functionality. They are available in the www.ads-software.com repository.

    Tim

    Thread Starter Sandi

    (@sandi149)

    Thank you. In the Brute Force section that Prevent Discovery of Usernames is checked. I also want to change the display name publicly to something else but it won’t let me. I would like to change the choices that are in that drop down menu, is there a way to do that?

    You can change the value for Nickname and then select that in the Display Name… field.

    Tim

    Thread Starter Sandi

    (@sandi149)

    Thank you! Hopefully this will work, although that hacker bot seems to know my username so it will probably be back trying to get into my site.

    Thread Starter Sandi

    (@sandi149)

    I have something called LastPass which is a passport manager, would that work?

    That is an excellent piece of software to help. Programs like LastPass and 1Password create long complex passwords for the sites you login to so they really help. I know 1password integrates with 2FA. LastPass might as well.

    Tim

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘someone keeps trying to log in to my site and knows my username HELP!’ is closed to new replies.