Hi everyone,
I’m really frustrated with this ongoing issue. My WordPress website keeps getting bombarded with brute force login attacks. We’re talking about 500-700 attempts every single day!
I have two-factor authentication set up already, so that helps protect the actual login process. But what really puzzles me is how these attackers keep discovering my administrator username. It doesn’t matter how unique or complicated I make it.
My current process is to generate a completely new admin username whenever this starts happening, then remove the old compromised account. This usually gives me peace for a couple weeks, but then the attack pattern begins all over again with the new username somehow.
I’m definitely not using basic usernames like ‘admin’ or ‘administrator’. I try to be careful about username exposure too. What am I missing here? Are there known security holes that leak WordPress usernames that I should know about?
Would love to hear your thoughts on this!
This exact situation happened to me last year and I discovered something most people overlook - WordPress automatically creates author archives even for administrator accounts that never publish content. Even worse, your server logs might be compromised or accessible through directory traversal vulnerabilities. I found attackers were actually scraping my backup files that contained database dumps with usernames exposed. Check if you have any backup files in publicly accessible directories, and verify your hosting provider isn’t logging usernames in access logs that could be viewed. Another source I found was old cached versions on search engines showing admin usernames from previous site iterations. The attacks often come in waves because these username lists get shared among hacker communities once discovered.
WordPress exposes usernames through several methods beyond author pages. The REST API is a major culprit - attackers can query yourcompany.com - This website is for sale! - yourcompany Resources and Information. to get all usernames. XML-RPC is another vector if enabled. Even your theme might be displaying usernames in comment sections or post metadata without you realizing it. I’ve seen cases where plugins leak this information too. You should disable REST API user enumeration with a security plugin, turn off XML-RPC if you don’t need it, and audit your theme files for any username displays. Also check if previous posts or comments are still showing the old usernames in archives.
yep, your author page is likely leaking your username. if your admin account has posts, people can find it at yourcompany.com - This website is for sale! - yourcompany Resources and Information.. try makin a new editor account to handle posts, and keep the admin for backend stuff only.