Why hackers try “random” username?

  • Resolved wpress2010

    (@wpress2010)


    3 years, 10 months ago

    We are seeing a number of different attempts to break into some of our sites, not successful, but all share the same tactic of trying to use what is obviously NOT a “guess” at a valid username, such as:

    “A user with IP addr 107.189.11.207 has been locked out from signing in or using the password recovery form for the following reason: Used an invalid username ‘krowtenrekorbsyduj’ to try to sign in. ”

    What’s the basic logic behind this type of tactic? I see a number of “guess” type attempts that try using the domainname as a username, and others that try usernames such as “wordcamp,” which don’t seem very likely to succeed – but it’s easy to see the “logic” behind those.

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @wpress2010 thanks for your query,

    Are you seeing the likes of these username attempts coming from a “human” source, or a “bot” in your Live Traffic page? I would suspect something like the username you mention to be an automated bot.

    It is very possible that these obscure username attempts have no logic other than an incremented string by a bot attempting a brute force attack, or they could come from a list of known plugin/site vulnerabilities in the past that have been obtained by the attacker. We mostly see attacks that don’t check if a site is vulnerable first. Trying an exploit will usually be attempted without checking a specific plugin or WordPress version and just hoping for some results.

    If you see more accurate attempts in future, /?author=1 or /wp-json/wp/v2/users/1 can in some cases be placed at the end of your site URL to see which users are making posts and edits. Wordfence > All Options > Additional Options > Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps is in place for this purpose.

    There’s some more information on usernames here: https://www.wordfence.com/help/firewall/brute-force/#prevent-username-discovery

    Thanks,

    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Why hackers try “random” username?’ is closed to new replies.