Home › Forums › BulletProof Security Pro › How do hackers get user names?
- This topic has 7 replies, 3 voices, and was last updated 8 years, 6 months ago by
AITpro Admin.
-
AuthorPosts
-
Zsolt Edelényi
ParticipantMy page is under brute force attack. Someone tries to enter with a user name, who has no post or page. How the hackers get to know the user’s name, if there is no author’s page?
AITpro Admin
Keymaster99% of all hacking and spamming is automated and done with Bots. Probably the easiest way to get usernames would be to do automated scans of your website Source Code using cURL or DOM or using tools like WPScan or Kali Linux or custom hacker/spammer delivery system scanners using C, Python, etc.
Our websites get Brute force attacked daily. Some Brute force attacks last for several days at a rate of 1,000 login attempts per second = 60,000 login attempts per minute. Brute force attacks are now just a normal regular thing that happens every day. This forum site is currently being Brute force attacked right now so there may be a slight page load delay of .01 second (one tenth of a second). The Security Log fills up very quickly with blocked attacks, but other than that there is nothing else that is noticeable to anyone during a Brute force attack – Brute force attacks do not interfere with anything on this site since we are using BPS Pro Login Security and BPS Pro JTC Anti-Spam|Anti-Hacker.
BPS Pro has JTC Anti-Spam|Anti-Hacker, which blocks 100% of all automated Bot hacking and spamming Brute force attacks.
For BPS free users they can do these additional things below to protect against Brute Force attacks:
Things you can do to protect publicly displayed usernames, not exposing author names/user account names, etc.
http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
http://forum.ait-pro.com/forums/topic/user-account-locked/
http://forum.ait-pro.com/forums/topic/revealing-the-admin-or-editor-user-name-and-not-knowing/
http://forum.ait-pro.com/forums/topic/wordpress-author-enumeration-bot-probe-protection-author-id-user-id/Participantdo automated scans of your website Source Code using cURL or DOM
What files can hackers scan? I think they cannot get php files. If they have, the could get wp-config.php with database password.
Keymasterwp-config.php cannot be scanned remotely because it is an internal file that does not have the Source Code loaded on the frontend of your website. Go to your website’s home page, right mouse click and select View Source Code or similar name depending on your Browser. What you will see is your website page Source Code. That is what can be scanned remotely. It is also possible to scan internal files that do not load on the frontend of your website, but in order to do that someone would already have full control of your hosting account to be able to do that – ie a Hacker Shell Script uploaded to your hosting account.
ParticipantDo you have bonus code which hide the admin’s author page? This case hackers cannot get the ID of the admin user.
rafaelmagic
ParticipantParticipantThat is good, but I think a code, which redirect only admin users to page 404. Is this possible?
KeymasterThe code only redirects/blocks/protects against bad bots used by hackers and spammers so ALL bad bots using that Query String should be blocked/redirected.
-
AuthorPosts
- You must be logged in to reply to this topic.