Are you tired of brute force attacks against your WordPress site? I am! Do you use an obscure username and wonder how in the heck these people are figuring it out and trying to log in?
I have spent numerous hours this month combatting this nonsense, trying one plugin after another and finally deciding to write one on my own!
The Brute Force Username Problem
I learned a long time ago never to use the word ‘admin’ as a login name for WordPress. I started using an abbreviated form of my name instead. After finding the best (in my opinion) WordPress security plugin, I started watching the logs and saw hackers/bots trying to use my username and brute force attack the login page.
So, I hid the login page. That worked for a bit as they left me alone in pursuit of other targets. Turns out that hiding the page isn’t effective as all they have to do is append /wp-login/ to the URL and they are automatically redirected to the login page. I suppressed the author pages, not something I wanted to do but felt it necessary to stop the username leaking.
Then, I changed my login name to something nonsensical. They (whoever “they” are) kept using the old name for a while then that slowly faded away. Then, this week they somehow found the new username. There is no way that they were guessing randomly. So I started sleuthing around the Codex.
As it turns out, there are two means to discover the author’s name: by a query URL or by the WordPress API. To find the author by a query, simply append /?author=1 to the site URL. The number 1 represents a particular author. The other means of determining the author is through the WordPress REST API itself.
To disable the query functionality, you could write an entry into the .htaccess file or add a function in your themes functions.php file. In order to block the REST API, you need to add to your functions.php file. With the number of websites managed by Veracity, touching each .htaccess file and adding code snippets to each functions.php file would be a nightmare.
Like I mentioned previously, I’ve decided to write a WordPress plugin to handle this for myself. I’ve been testing on a few of our sites and will deploy it to the remainder of our managed sites by the end of the month. My goal is to publish it to the WordPress Plugin Repository as soon as I’m confident that it’s stable. If you are interested in testing this on your own WordPress site, contact us and we can chat.