How Hackers Get Your WordPress Login

How do Bots and hackers get valid login names for your site

Over the past 3 years, I worked on 50 different websites in various capacities. When these sites had the Limit Login Attempts Reloaded plugin installed, it was impossible not to notice the number of failed login attempts displaying when the WordPress dashboard opened.

While of course some failed login attempts were innocent situations where a legitimate user incorrectly entered their credentials, I am referring failed login attempts number in the tens, hundreds, even thousand for a single day. When you see failed login attempts to this degree, bots are performing brute force attacks on your website.

One nice Limit Login Attempts Reloaded feature is the Log page. It includes the login name used with each failed attempt. I encourage you to take a look at this log – what you find might surprise you.

Many of the login names used with the failed login attempts – were valid logins…

How do hackers find valid login names for your site?

The easiest way to get a valid login on a WordPress site is to review the blog page. When a site owner chooses to display the name of post authors, site visitors can click their name and open a list of all posts written by that author. When you review the URL that displays when this archive pages opens, it shows the login name associated with the post author.


But We Are Not Displaying Post Authors on Our Website and THey Still Find Logins

This is where hackers get crafty.

Go to any WordPress site and by typing in the URL, but add ?=authorfor example: where is your website.

Funny thing about WordPress…

WordPress assigns a user ID to each login name, and those ID numbers always start with 1. The first user on your site is usually the Administrator account used to install and setup WordPress. When you use the address listed above, it will open an archive page for user ID and display the login name.

Now hackers have a valid login name that is likely assigned administrator rights. With one rather solid piece of valid information, they can release bots trying password combinations with a known valid login, giving them a leg up.

Note: What if ?author=1 returns no valid page? They will just move on to 2, 3, 4, until a valid page does open and they have an valid login name to work with.

How can block Author=1 requests?

Depending on your webserver configuration, most hosting providers allow you to assign site specific settings in your .htaccess file. This file resides in the root folder of your WordPress site. Make a backup of your current .htaccess file and then modify the active .htaccess file so includes the following lines somewhere below the line ending with # END WordPress line:

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

Now, when hackers attempt to determine your login name, it will simply forward their request to your home page so they can’t see the arhcive page, nor determine the login name.

Need Help Assistance Setting Up .htaccess?

COnnect with us at TPI-Solutions.

Ready to learn how TPI Solutions can help take your business to the next level?

Contact our team today let us show you how we can bring value to your business.