How did hackers guess my userid/email to attempt to log in?

  • ithemes is catching hackers and locking them out for to many log in attempts BUT how did the hacker guess all the site users id (or email ids) when no user id or email id is listed in text on the site! my hosting company said if not in text on the site these are only stored in the database which means the database has been accessed? i use non standard user ids so they couldn’t guess them.

    i’ve had ithemes installed for years, seen these sitelock out msg but never thought how a hacker could possibly guess the user id/email is this an ithemes, WP or other plugin giving access to user ids / email ids in the database?

    thank you for any insight!

Viewing 5 replies - 1 through 5 (of 5 total)

  • hi,
    i was also disappointed when i noticed that wpscan (opensource exploit scanner) could list users
    wpscan –url ADDRESS-OF-YOUR-SITE –enumerate u

    BUT it seems most of hacking robots test for ‘admin’ users and the rest are normally blocked by your bruteforce protection plugin…

    hi again,
    there is All in one wp security plugin which can help to hide users, after installation (not sure if it’s wise to install both of them… devs will tell…) go to miscellaneous then user enumeration and check disable user enumeration check again your website with wpscan and voilà, it’s gone!

    For the records

    @marties

    There are different ways to deal with user enumeration.
    The iTSec plugin does not totally disable user enumeration.

    But it does provide 2 options in the WordPress Tweaks module which
    are related to user enumeration:

    • Force Unique Nickname
    • Disable Extra User Archives

    dwinden

    hi,
    i’m afraid it doesn’t (didn’t test it) prevent wpscan and friends doing their job giving user names.

    have a good day

    @marties

    Go test before posting.

    That said you will probably need some insiders info on WordPress Nicknames to get it right.

    Stay safe and have a good day ??

    dwinden

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘How did hackers guess my userid/email to attempt to log in?’ is closed to new replies.