Simple WordPress Hack Reveals Admin Login Names

One of the first security rules when configuring WordPress is to never use the default administrator name, ‘admin’. Always change it to something that you can remember, but is hard for someone else to figure out. When you use the default name, a hacker who wants to try to break into your WordPress administration area has half of what he needs to get in. The other half is the password, which hopefully has been set up as a convoluted mix of at least eight upper and lower case letter, numbers and a special characters or two.

The problem is that there is nothing in a standard WordPress installation that will prevent a hacker from repeatedly trying to crack the password once the administrator username has been determined. It could be done manually, or through a simple program that repeatedly attempts to log using different password combinations until the password is eventually discovered.

I recommend that WordPress users install a plugin named Limit Login Attempts that automatically locks out hackers after a pre-defined number of failed login attempts. The plugin also logs the username used in the hack attempt and the IP addresses of the hackers so that you can determine where the hackers are located. This plugin effectively blocked literally thousands of hack attempts for my WordPress clients over the past year.

While Limit Login Attempts shows us that 95% of the hack attempts try to log in using the default ‘admin’ username, much to my surprise I have noticed lately that hackers have increasingly used the actual administrator usernames. The curious part is that the usernames do not appear anywhere in the sites or in the HTML code. After a little rooting around I discovered a simple URL hack that reveals the administrator usernames.

Enter the following in the browser address bar, using an actual domain name for a WordPress site. The URL will change to reveal the username of the administrator in the first row of the user table.

http://www.domain name.com/?author=1

Entering this: wordpress hack

Reveals username: wordpress hack reveals username

What is actually displayed is the username in the user_nicename field assigned to the primary administrator with ID = 1 in the WordPress users table. This can be repeated and will reveal the usernames for each of your assigned users by changing the numeric value. The display_name field is also displayed just above the content area on the web page. While neither of these is the actual login name found in the user_login field, by default WordPress assigns the same name to all three fields. The display_name can be changed on the user management page for each user, but the user_nicename field is not accessible in the administrator area.

The way to fix the issue and tighten security for your site is to use phpMyAdmin or whatever database management software your hosting company provides to change the name in the user_nicename field. The important part is that the user_nicename and display_name fields must be different from the user_login field.

database change to prevent wordpress hack

If you do use an author page in your site, the author page URL may be altered by making these changes. If that raises another problem, or if making the the database changes is beyond your technical skills, I do recommend that you install Limit Login Attempts or a similar plugin to prevent hackers from repeatedly trying to break into your site. This plugin effectively blocks repeated attempts to break into your administration area through the login page.

Trackbacks

  1. [...] username even when it is changed from the default 'admin' during setup. Check this article out. WordPress Hack Reveals Admin Login Name You have to go into the database to fix this. It cannot be done through the admin area. [...]