Display the WordPress admin or editor username

Home Forums BulletProof Security Pro Display the WordPress admin or editor username

Viewing 15 posts - 1 through 15 (of 57 total)
  • Author
    Posts
  • #5965
    J Garner
    Participant

    Hi there,

    I thought I had understood all the steps to making sure that an admin user name was not revealed if that user created posts.

    I thought that with a given admin user changing the nickname to something different to the actual username, meant that would be used for the author link in posts. I realised this because I got a login alert from Bullet Proof Security, telling me that an attempt to login had been made using the unusual login I had chosen:

    Username: weirdandwonderfullogin [removed]
    Status: Locked
    Role: administrator
    Email: my email [removed]
    Lockout Time: Monday, May 20, 2013 4:46
    Lockout Time Expires: Monday, May 20, 2013 5:46
    User IP Address: 184.82.191.98
    User Hostname: tecgratis.com.br
    Request URI: /wp-login.php
    Site: my site URL [removed]

    I was first shocked that the exact same admin name had been used in just one attempt (or maybe several since it got blocked).

    So I checked the site having changed the nickname, and realised astonished, that the nickname was changed, but it is not used as the link for the author “By Authorname” with a link to the author page http://domainname.com/author/weirdandwonderfullogin/when I was expecting to find the WordPress blog link to the author to be http://domainname.com/author/mychosennickname

    I don’t even understand why WordPress is built that way that it gives away the name you obvioulsy use to login and when you provide a nickname it doesn’t use that instead!!! It’s like a big advert saying “You only need to guess the password for my site because I’m giving you my login username”.

    Now that’s what I’m currently thinking and even if I create an editor role for creating articles as opposed to an admin role that does everything that still means the editor access is also being advertised for all hackers to see, well anyone regardless of what you change the nickname to.

    So am I missing something or is this actually the reality of things with WordPress and what can you do to not display the author username/login. I guess hacking the WordPress code to remove the link to the author page but I’m guessing that page would actually exist even if the link to it is removed, but that does sound a lot better…

    Thanks,

    John

    #5971
    AITpro Admin
    Keymaster

    You need to choose which name to display publicly with this option setting:  Display name publicly as

    #5974
    J Garner
    Participant

    Yes that is what I have done and WordPress displays the chosen “Display name publicly as”.

    However the link for the author which you click on, or hover over, that only shows the “Display name publicly as” shows, in the URL, in the HTML, the actual username, well it does on all my installations of WordPress so I’m just wondering if I’m doing something wrong?

    #5979
    AITpro Admin
    Keymaster

    The display name that we use is AITpro Admin

    First Name AITpro

    Last Name Admin

    And yes the actual real username is displayed in BuddyPress URL’s… at least for now it is.

    On the Blog site we may have removed author links.  It has been a long time since I looked at that.  We are instead showing the Author as plain text.

    Author: AITpro Admin
    Published: November 18, 2011
    Updated: February 11, 2013

    #5981
    AITpro Admin
    Keymaster

    The WordPress the_author_link() function in Themes is designed to show the value in the user’s Display name publicly as field as a URL.  If your particular Theme is displaying the actual username field then you should change this in all your Theme template files:  index.php, single.php, page.php and any other Theme template files if you have any others.

    http://codex.wordpress.org/Function_Reference/the_author_link

    #6061
    Vandenhaas
    Participant

    The WordPress the_author_link() function in Themes is designed to show the value in the user’s Display name publicly as field as a URL.  If your particular Theme is displaying the actual username field then you should change this in all your Theme template files:  index.php, single.php, page.php and any other Theme template files if you have any others.

    JGarner – Hello, I understand in general theory what this means regarding changing ACTUAL username/brute force attack problem, but I dont know enough to start deleting/changing code and WHERE. If I knew what to do where more specifically, I will probably save alot of headache. Any help you can provide? If not, I understand. Thanks

    -D

    #6063
    J Garner
    Participant

    Thats actually Alex / AITpro Admin that wrote what should be done.

    It does depend on what theme you have as they aren’t all equal in the way they handle this. For example I use the Genesis Framework from StudioPress and then on top of that I have a child theme called Dynamik from Catalyst that sits on top.

    I think in nearly all though you will looking to change a routine called post info or maybe more specifically in certain cases post author, I would simply recommend asking the author of your theme either on WordPress or where you bought it how this can be changed.

    In Genesis there is plugin called Simple Edits that lets you change post info to what you want so if like me you are the only person posting then you can just hard code the HTML in (that is obvioulsy not the best idea) if you ever have guest authors that would then be a problem but I have just put it like that temporarily until I here back from the theme author…

    There are also code snippets depending on the theme that can be added to the fucntions.php file that will replace what you have with something else which is pretty much what the Simple Edits plugin for Genesis does.

    Sorry I can’t help more Vandenhaas,

    John

    #6064
    AITpro Admin
    Keymaster

    I just took a look at the WordPress 2012 Theme template files and WordPress is not using any functions that display the author url/name period.

    Editing Theme template files is really simple.  You download the Theme template files and look for any functions that have “author” in the name of them and just comment them out.  There are actually quite a lot of different WordPress author functions.

    And actually the one that you want to get rid of/replace is this one – the_author_link().  If you replace this function with the_author() function then only your author nickname is displayed (be sure to use your nickname for “Display name publicly as” and not your actual Administrator account name in WP user settings)  as text without adding a link to it.

    http://codex.wordpress.org/Function_Reference/the_author_link

    Plain text author name no URL

    http://codex.wordpress.org/Function_Reference/the_author

    #6067
    Vandenhaas
    Participant

    John,

    Yes, I know it was the BPS people saying it, but Ive read some of your other posts and was wondering if you had implemented what they said. I understand a little better thanks to your reply. Im using Coraline, and so far Im the only one, also, but I need to understand better for future considerations.

    Im sure Ive found the PHP code where this is dealt with, but I am just not knowledgable enough to proceed confidently, for fear of really screwing things up. And where else do you change the call to the “actual username” in the DB.

    [code removed]

    Thanks – Dave

    #6069
    AITpro Admin
    Keymaster

    You’re looking at the wrong Theme files.  Use the WordPress Theme Editor.  It will tell you which files are Theme Template files.

    Appearance Menu >>> Editor link >>> look at the Theme files listed on the right hand side.  the ones that say Template are Theme Template files.

    If your particular Theme/Theme Author labeled them as Templates of course.  If not, then you will not see Template.

    User Profile Settings is a database option setting under each User’s Profile.  Each User Account has a Profile and within that Profile you can change what username is displayed publicly.

    #6075
    Vandenhaas
    Participant

    Keymaster,

    Thanks for the reply and correction. But now Im a little confused. I got a Login Security Alert stating details to the Login Attack. The WP Account that was targeted was designated in the report with the ACTUAL username, not the “Display as…” name. I am reading this as they attempted to find the password, but already had the actual username.

    Perhaps they DONT have the actual username, but are entering the email that is shown in Comment and Reply Forms, which is associated with this WP account. And BPS Login Security Report is simply showing me which WP account was targeted.

    Thanks for the patience as I tread softly thru the weeds.

    -D

    #6076
    AITpro Admin
    Keymaster

    Yes, that means the User Account name is known.  If it is an Administrator user account then create a new Administrator account and delete this one.  You cannot log in with an email address unless you are using another login plugin that allows this.

    #6077
    Vandenhaas
    Participant

    Ok, were on the same page.

    How does de-linking the author in the template file keep someone from obtaining the actual username? I created a new admin account and deleted the old one once already. And within an hour I got an attack on the new username? If that does not solve the problem, whats the use of creating/deleting an admin account? Excuse me if Im slow on this.

    I just took a look at the WordPress 2012 Theme template files and WordPress is not using any functions that display the author url/name period.

    Not sure why I want to do anything with the Template – Author changes if the author url/name are not being shown.?

    Thanks

    #6079
    AITpro Admin
    Keymaster

    Your User Account name is obviously being displayed somewhere if the hacker was able to get it.

    Under the Profile settings for this new user account what are these set too:

    Username
    First Name
    Last Name
    Nickname (required)
    Display name publicly as

    Example of how to do this correctly so that the Username is not displayed publicly:

    Username   X2ER5P8VU9W4
    First Name  AITpro
    Last Name  Admin
    Nickname (required)  AITpro Admin
    Display name publicly as  AITpro Admin

    #6080
    J Garner
    Participant

    Is there any way to have a routine scan the site to look for the ‘username’ and once it has run indicate that the username seems to be visible and indicate the page to check?

Viewing 15 posts - 1 through 15 (of 57 total)
  • You must be logged in to reply to this topic.