Attacker trying to use deleted account name

  • Resolved davidkornfeld

    (@davidkornfeld)


    4 years ago

    Hi,

    A few weeks ago when Wordfence was starting to report an increasing number of blocked login attempts with the usual generic usernames like admin, login, ‘thesitename’ etc., but never with the actual active username, I decided to create a new admin account with a harder-to-guess username and an even longer, random password. Then I deleted the old admin account. The following day a number of login attempts were blocked when trying, for the first time, the old, deleted username. How did the deleted username leak? I’m the only admin and nobody else has got the credentials.

    However, in order to be able to create a new user I had to use a different email address and then, after deleting the old user, change it to the one I want permanently associated with the account. In that process WordPress sends confirmation emails (for the change of email addresses) containing the username (which seems like a stupid idea as I’ve given the user a nickname as well as a public displayname which of course are different from the actual username). That’s the only time my usernames have been sent by email.

    Thanks & Best wishes!
    David

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @davidkornfeld, thanks for your message to seek advice with this.

    With the old admin account, did you ever use it for creating site content where the username could have been included publicly as part of a timestamp or performed action etc.? It does seem odd that it would crop up after you have ceased using it but could still appear in historical data such as the kinds I’ve mentioned above.

    Going forwards, you could specifically state this username in Wordfence > All Options > Brute Force Protection > Immediately block the IP of users who try to sign in as these usernames if you’re concerned at it becoming known, and could immediately lock out all invalid usernames to prevent other random attempts. However, if you’re running an e-commerce site the latter setting is not recommended: https://www.wordfence.com/help/firewall/brute-force/#lockout-invalid-user

    With certain “security through obscurity” methods, like providing a nickname in correspondence to your approved email address instead of a plain username, this would only serve to slightly slow somebody with malicious intent. If they have access to see your emails containing this username, or have already gained access to your site in order to redirect this correspondence, it would not be difficult for them to obtain usernames for themselves.

    Our thoughts on altering the wp-login URL as discussed in this video is a similar example: https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/

    Thanks,

    Peter.

    Thread Starter davidkornfeld

    (@davidkornfeld)

    Hi @wfpeter!

    Yes, all site content was created with that old username. However, I’ve always had a different nickname and ‘Display name publicly’ set to the nickname. I’ve also disabled displaying author name globally.

    Maybe it would be a better practice to create another account, with less privileges – like editor – and assign all existing and future site content to that user – and only use the admin account when needed?

    Thanks and Best wishes!
    David

    Plugin Support wfpeter

    (@wfpeter)

    Hi @davidkornfeld,

    That’s certainly a good idea. You might want to create a new secondary admin account first (which will become primary), then re-assign the role on the original user if they’re deactivated rather than permanently deleted to prevent having to edit all of the existing content created by that user.

    Feel free to open a new topic if you have any further questions about Wordfence and we’ll always be glad to help out!

    Thanks again,

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Attacker trying to use deleted account name’ is closed to new replies.