Hi @scarlet522, thanks for dropping us a message regarding this and I can absolutely help you understand it.
If a bot (or human) tries to log in using your username and fails repeatedly, they should experience blocking according to the strength or leniency your Brute Force settings. This will not affect the status of your own logged in session as you are accessing from a device or IP address not affected by the failed login attempt.
?WordPress to this day does not intend to hide your username and does not consider the intentional leaking of usernames to be a security problem. Instead their recommendation is to use strong passwords and two factor authentication to secure your login page, rather than hide your username. You can read more about this here:
https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue
For example, Dion Hulse, a core contributor to WordPress, explained the reasoning behind leaked usernames:
“It has been stated in previous tickets, ‘leaking’ of the username is not deemed a security issue by www.ads-software.com, as it’s a conscious decision to use the username as the slug in the URL”
The current stance on this is also evident in the WordPress Codex regarding “Access Control”:
“One of the top two attack vectors used by cyber criminals is software vulnerabilities and access control. To combat this you must secure any point of entry into your host, WordPress installation or server. This includes employing strong passwords and enabling some form of Multi Factor Authentication.”
Brute force login attacks are one of the most common attacks that we see and is normal. We see millions of brute force login attempts per hour on WordPress sites protected with Wordfence. Here is a blog post explaining why hackers are interested in your site and then steps you can take to keep your admin account protected: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/
To keep yourself protected please carry out the following if you haven’t already done so:
1) Make sure all admin accounts and those with high level access. e.g. with publisher access, use a very strong password – WordPress can auto generate a very strong password for you on an account page. We recommend using a password manager such as 1password.com to store your complex passwords that are exceedingly difficult to remember.
2) Set our recommended brute force protection rules. Instructions are in the link below. You can quickly find these options in the Brute Force Protection section on the All Options page: https://www.wordfence.com/help/firewall/brute-force/
3) Enable two factor authentication for administrators and those with high level access e.g. with publisher access. This feature is on the Wordfence > Login Security page. Instructions are in this link: https://www.wordfence.com/help/tools/two-factor-authentication/
4) If there are a large amount of login attempts for the same username coming from a large pool of IP addresses then you can also enable the Google reCAPTCHA feature found on the Wordfence > Login Security > Settings page. If you want to limit the number of email alerts that you receive then you can adjust the settings in the Email Alert Preferences section on the All Options page.
I hope this helps you out in understanding what’s going on here. If you’d like to look into other Wordfence features, our help documents are a great resource: https://www.wordfence.com/help/
Thanks,
Peter.
