manOmedia

Oh boy, am I an idiot ??

I think I will claim I was rather tired earlier when working on this but it did finally hit me. Strong alphanumeric passcodes are being created but it’s really tough to type in a “%” or “$” on a phone keypad. If the passcode is changed to numeric only, the same passcode is used for the meeting and phone dial-in.

Still would be good to know the placeholders for the dial-in numbers and the dial-in passcode when it is not set to be the same as the main meeting passcode.

Now to research how I can force the api call to generate only numeric passcodes.

Thanks

The saga continues – Presuming it’s not reasonably possible to make a call to a disabled plugin vs totally deleted, it is evidently not Yoast. It took longer but the new username started getting hits and Yoast is still disabled… Jeeeeze

Actually, I have had my Xfinity IP change but indeed, it was like once in several years.

Anyway, the saga continues – Presuming it’s not reasonably possible to make a call to a disabled plugin vs totally deleted, it is evidently not Yoast. It took longer but the new username started getting hits and Yoast is still disabled ??

One never knows how long static is but very interesting… I definitely got the “your ip has been locked out” message and the ip in the whitelist was correct. The login screen did not seem to be available – Perhaps I should have tried another browser…

Anyway, that is one of the reasons I always have more than one admin login and access to more than one ip address…

I have started another test like the previous but I will let things run longer (+/- 48 hours) without Yoast activated and see what happens.

Not the right place for this but to confirm, if I put my ip in Enter Whitelisted IP Addresses: on the first tab of your ‘User Login’ settings page, no mater what I do I should not be locked out? Is that not correct?

With all this messing around I accidentally locked myself out by using a wrong/old login ?? but my ip is in that whitelist.
No big deal, I logged in via another ip with a good username and deleted that lockout from Dashboard > Locked ip addresses but I was momentarily quite surprised…

23:00cet (17:00 US eastern time) I just started a new test that I will let run longer.
– Yoast deactivated
– New user created
– ‘Nickname’ and ‘Display name publicly’ changed
– Bulk edit – Assigned all content to the new user

I will let it sit this way till sometime Monday so 36 to 48 hours.
Presuming no hits to the new user name I will then reactivate Yoast and see what happens…

BTW – Bedankt, ik ben vergeten dat Yoast een Nederlands bedrijf is, maar ik blijf bij Engels. Schrijven is niet makkelijk voor mij, maar lezen en spreken is prima.

The Yoast person has relayed that in a randomly checked handful of pages on a local test environment they are:

not able to find anywhere that Yoast SEO outputs the username in the source code with the exception of author archive URLs and when the display name and username are identical.

So if indeed it is a Yoast exposure, it would seem to be inadvertent, either a call that can be made to Yoast or some other unintentional metadata output.

For the new user, is the username selected for the ‘Display name publicly as’ option?

No, ‘Nickname’ and ‘Display name publicly’ are both set to a different name. That was done immediately after creating the new user and Yoast was already deactivated.

I randomly checked a handful of pages on my local test environment and am not able to find anywhere that Yoast SEO outputs the username in the source code with the exception of author archive URLs and when the display name and username are identical.

Hmmm, well you obviously agree that while the test is not 100%, it does seem to point at some sort of exposure by Yoast.
Just curious, when I first realized Yoast was creating the Authors link for the sitemap, I played around a bit and do not believe I saw any difference in /author-sitemap.xml when ‘Nickname’ and ‘Display name publicly’ were the same vs different than the real username. Is that output supposed to change based on those names?

Already have a discussion underway at the Yoast support forum.

I’ve been using Yoast for years. Its been useful so I have not looked at others. Did a bit of reading about The SEO Framework and like what I see. Sounds like it might actually fit my needs as well or better, especially for this particular site.
Thanks…

Just for kicks I did talk with my host – They said what we already decided, that it’s very likely one of the plugins and they had a few ideas of more likely culprits but my gut was still on Yoast.

This is somewhat anecdotal but it seems that with Yoast SEO disabled (no other changes), no usernames were extracted from the site but with Yoast SEO enabled, even with Yoast’s Author archives turned off, user names were detected.

What I did was:
– Disable Yoast SEO
– Create a new user
– Delete the old user
– Assign all the content to the new user and Wait…

During the next 24 hours+, no logins were attempted with the new username.
I then reactivated Yoast and within about an hour, that new username started showing up on the list of blocked login attempts.

What this seems to indicate is that while the default condition of WordPress is to show usernames, it is possible to block their exposure. But apparently there is another access point via Yoast.

More to come I guess…

So to follow up on this… This may be anecdotal but it seems that with Yoast SEO disabled (no other changes), no usernames are being extracted from this site but with Yoast SEO enabled, even with Author archives turned off, user names are being detected.

What I did was:
– Disable Yoast SEO
– Create a new user
– Delete the old user
– Assign all the content to the new user and Wait…

During the next 24 hours+, no logins were attempted with the new username.
I then reactivated Yoast and within about an hour, that new username started showing up on the list of blocked login attempts.

What this seems to indicate is that while the default condition of WordPress is to show usernames, it is possible to block their exposure. But apparently there is another access point via Yoast. Do you know what that is? Do you need more info?

Thanks

• This reply was modified 5 years, 5 months ago by manOmedia.

Well… That was short lived.

The new user name has leaked out – there are about 160 ‘Failed Login Records’ from the last 15 hours or so. Though interestingly, the ‘Locked IP Addresses’ list only shows actual lockouts from an older user name.

Searching the page source content of all the public pages and posts does not reveal the user name and the WP database only shows the username as saved in three tables:
146 matches in; prefix_aiowps_failed_logins
1 match in prefix_aiowps_login_activity
1 match in prefix_users

So I guess I’m back to analyzing the plugins:
BackupBuddy
Comet Cache
Contact form 7
Popup Maker
Redirection
WP Maintenance Mode

But again, none seem likely to be revealing user names.

Not sure if this should be marked ‘resolved’ or not. The leaking seems unrelated to AIOWPS but its still happening. I guess it could be marked resolved and I could still add to it if I discover another culprit?

So I did a bit of reading and Yoast confirms

By default, WordPress uses the username for the author archive page URL. Yoast SEO uses the same archive URL when building the sitemap.

I had never looked before but there are a few plugins that can address this and Yoast will follow that change when building the sitemap.
I guess for a site that needs to display author names, one of the plugins would make sense as changing the behavior in php is indeed a bit complicated.

In the meantime, within an hour of deactivating Author archives, lockouts slowed to a trickle – just 6 over the last 10 hours and all of those are the first username that was in use before I started on this path.

Seems like a good WordPress feature, to manage the creation of a username and a display name during account creation and then using the display name for all public facing actions. Would help with security, could make for more attractive name display and by having it done at account creation, duplicates could be easily prevented.

Still, it might be a nice feature for All In One WP Security.

• This reply was modified 5 years, 5 months ago by manOmedia.

Thanks amboutwe… Today I also looked a bit more into the background. I guess for a site that needs to display author names, one of the plugins would make sense as changing the behavior in php is indeed a bit more complicated.

I actually think it would make a lot of sense for WordPress to manage the creation of the username and the display name during account creation to help with security, make for more attractive display names and prevent duplicates all at the same time. My experience yesterday was pretty crazy – when I still had Author archives active, within 12 hours of generating a new user, it was hit and locked out over 450 times. Within an hour after deactivating Author archives, lockouts have slowed to a trickle.

Anyway, still might be a nice feature for Yoast or Yoast Premium.

Well, it seems I may be correct, that Yoast SEO is the culprit – at least it’s an obvious place to start.

– Under Yoast SEO General Settings is an option for ‘XML sitemaps’ which is on by default.
– The default for their sitemaps includes a ‘/author-sitemap.xml’ link, which by default includes any authors that have content associated to them.
This is not necessarily an issue but what makes it a bit more onerous is that the links are the user name, not the Nickname or Display name and as best as I can tell, there is no UI access to make that change but I am inquiring.

Yoast sitemaps can be entirely turned off and any number of other systems can be used to generate a sitemap. It’s also possible to just eliminate the authors link from the sitemap by turning off ‘Author archives’ on the Archives tab of the ‘Search Appearance’ page. This is where I’m starting.
Additionally, if Author archives is active, it reveals a Yoast setting on each users’ profile page, ‘Do not allow search engines to show this author’s archives in search results.’ Checking that will remove that user from the Author archives section on the Yoast sitemap.

Time to create a new user and see what happens…