someone trying to login with my unique username

I have this same exact issue.

Hackers are accessing the hidden login page AND are using my very unique username.

iThemes is set to Max settings and I’ve even limited access to my htaccess files. What else can we do?

https://www.pbccd.com/

@rojac

Your login page is not hidden as anyone can access:

https://www.pbccd.com/wp-login.php

Also try some user enumeration:

https://www.pbccd.com/?author=1
https://www.pbccd.com/?author=2

The usernames are only listed in the email you received. I’ve remove the usernames from the post in the topic ??

Looks like you have some extra work to do …

dwinden

Hey Dwinden:

the site listed above crashed (W3 plugin) but I have the same issue I wrote about at another site here: https://www.palmbeachdentrepair.com/

@rojac

Yep, I am able to find the secret link to the login page on your website … But it is not accessible (to me) … I’m in Europe.

And it also leaks a username:

https://www.palmbeachdentrepair.com/?author=2

Again the username is only listed in the email you received. I’ve removed the username from the post in the topic ??

dwinden

so how do I stop that user-name leak, Dwinden? I’ve blocked htaccess and maxed out the settings on iThemesSecurity.

PS – just installed a “Block by country” plugin. Glad to see that is working.

@rojac

Ok, thought so (blocking by country).
Just out of curiosity, which “Block by country” plugin are you using ?
Have one on my mind …

To stop the username leak you would normally just edit the user profile and specify a different nickname. That is a nickname that is completely different than the username.
Do make sure that the Force Unique Nickname (Force users to choose a unique nickname) setting in the WordPress Tweaks section of the iTSec plugin Settings page is enabled before changing a nickname.
Apart from doing what this setting is named after it also fixes a tiny little WP nickname glitch …

dwinden

We already have that Force Unique Nickname function enabled AND we’re already using a nickname that is different from the username (and also the display name–all three are different) so I am totally baffled as to how you were able to access it.

IPGEO to answer your question and thanks for the rapid responses to this vexing problem.

@rojac

I was expecting that answer … remember the tiny little WP nickname glitch I mentioned …

I think your user leak is caused by this tiny little WP nickname glitch.

Somewhere in the past the user got created. However it probably got created with username and nickname being identical (which is the default in WP).

So you changed the nickname afterwards. However the iTSec plugin was not yet installed and activated or it was but the Force Unique Nickname setting was not yet enabled.

When initially creating the user the nickname is stored in the database in 2 different tables …
The WP nickname glitch I mentioned happens when changing the nickname. WP will only save the new nickname in 1 of the 2 database tables. So the original value (which is still identical to the username) still exists in the other table…

Guess which value the user enumeration URL exposes from the database ?
Right, the unchanged original nickname value !

All of the above can be confirmed by logging into the database using phpMyAdmin and just looking at the user_nicename field value of the wp_users table for the relevant user in the database. I’m convinced it’s value is still identical to the username …

Once the above is confirmed simply edit the user profile for the relevant user and change the nickname while the iTSec plugin Force Unique Nickname setting is enabled. The iTSec plugin Force Unique Nickname setting ensures both nickname values are updated in the database.

dwinden

Awesome. And thank you so much (this has been plaguing us for quite a while now)