Brute Force Amplification Attacks on my site

Hello malkah,
1. Are you using the latest version of Wordfence? If you try to browse to an author page, are you able to see the authors username on there? It is possible that an author name could be disclosed elsewhere, for example by a theme or a plugin.

2. We do not recommend changing the wp-admin URL because it may cause issues on your site both instantly when you do it and later on.

If you are very concerned about your username being known by someone, you might want to consider changing it. The easiest way to do this is to create a new user, grant it the superadmin privileges if necessary and delete the old user.

Hi,
yes I use Version 6.1.7

if I browse to mydomain.com/author I get 404
if I browse to mydomain.com/author/username I get a page displaying the user name. but how did they manage to discover the user from the first place?
can this option be disabled?

of course I changed the user but it doesnt say they cant discover it again. does it?

I wrote an article about this Username discovery, just recently.

There’s a way to completely obfuscate the Username and prevent discovery and that’s to include @ symbols in it.

The Username @w@o@r@d@f@e@n@c@e translates to wordfence in any URL (example.com/author/wordfence) but if you try to log in using wordfence as the username then it’ll fail.

HTH.

Interesting tip smarterwp, thanks.

As for changing the actual URL for wp-admin.php and deleting the original WordPress core file, my understanding is this can actually be done fairly easily but requires some editing of the renamed file, as well as doing it all over again when WordPress is updated. In the case of consistent attacks on wp-admin.php, it could be worth the effort.

At the least use a login URL obfuscation plugin, I’ve used plugin “WPS Hide Login” for several years with no problems, though it doesn’t allow you to rename or delete the wp-admin.php file, sadly.

MTN