We’ve had Limit Login Attempts installed for some weeks now, and the number of brute force attempts occurring on wp-admin/wp-login is pretty amazing. At first the attempts were all with the username “Admin,” which doesn’t exist on our site, so I considered it an annoyance but not much of a threat. However, now we’re seeing lockouts occurring with other named admin user accounts and I’m completely at a loss of understanding for how the attackers are deducing the usernames of these accounts.
No content on our site is authored by anyone in particular and I can’t find any other location on our site where these usernames are publicly published.
Any idea as to how usernames might be discoverable?
2 s
If you have pretty permalinks enabled WordPress will redirect all calls to /?author=1 to the author archive with the user name, eg.: /author/bob/. And then the visitor will know the author name.
Use Login Lockdown, that plugin does not reset accounts, it will block IP addresses.
