Display the WordPress admin or editor username

[AITpro Admin]

You can do this with the BPS Pro Pro-Tools cURL scan/Multi-page scanner.

Use the 10 page simultaneous cURL scanner

Enter A Search String
the user account name

Enter URL Paths to Scan
10 different pages on your site

[AITpro Admin]

FYI the cURL scanner is the same thing that hackers use to find anything they want to find.  😉  I’ve said it before and I will say it again – it is impossible to hide anything on the Internet.  😉

If you are displaying your actual username anywhere on your site it is very simple to find that info.

[J Garner]

Giving us the tools to hack our own sites 😉 I’ll consider it educational 🙂

[AITpro Admin]

Well I did not include that attacking code in that Pro-Tool and only included the recon portion for legitimate purposes only, but yeah adding a few more lines of code and you have a hacker tool that will find vulnerable sites and attack them/hack them.  😉

[J Garner]

I think I’ll just follow your lead and only check that my own sites are safe 🙂

[Vandenhaas]

Just ran the cURL test and no “username” was found. This is good. The “nickname” was found  in source code 0-1-2-3. I guess that is to be expected. The problem is that every single one of my attacks is logged in the BPS Login-In Security logs with the “username”, not the “nickname”. I have the account set up properly, always had it configured properly:

Username   X2ER5P8VU9W4
First Name  AITpro
Last Name  Admin
Nickname (required)  AITpro Admin
Display name publicly as  AITpro Admin

Thanks for the reference to cURL test. Didnt know about that.

But Im still at a loss to explain how they are getting the “username”. Any other suggestions?

 

[AITpro Admin]

If you are not displaying the actual username on the site then the user name is being guessed or it is being found some other way.  Let’s say your computer was hacked.  Then anything you do on your computer can be stolen/retrieved, or you are using a Proxy to log into your site.  Then anything you do when connected to that Proxy can be stolen/retrieved. Let’s say your Browser has been hijacked.  Then anything you do when using that Browser can be stolen/retrieved.

Most likely it is something simple and not the worst case scenarios mentioned above since instead of seeing failed login attempts your website would be hacked.

[AITpro Admin]

Out of curiosity is the Admin account getting locked out?

[Vandenhaas]

I had 2 admin accounts active. I got a notice from BPS. One account was locked, the other was not. I was not the one to generate the failed logins. I was not trying to login and made mistakes loging in.

I logged in successfully with the main account I use regularly. The log says the older account is LOCKED, but the one admin account I used to log in was NOT LOCKED. I then created a new admin account -properly- and that got flagged in another report from BPS, but it also was NOT LOCKED.

I have had no problem logging in, but BPS has listed logs with the older and also new “username” , and from 2 different IP’s and hostname servers – none of which are my home IP or hosting servers. Unless Hostgator uses host servers have a German ( .de ) designation.

vserver543.dns-was.de   – m25s20.vlinux.de

Thanks

[AITpro Admin]

The one Admin account is known and needs to be deleted.  The other is not known so it is ok.  Delete any known admin accounts and delete the entry on the Login Security page since that account will no longer exist and you do not need to store a record of that account in your database anymore.

[J Garner]

I found that a plugin I used actually provided the ability to render the post info and author info differently and having changed the main site didn’t think to check the plugins but on one page (so you’d have to scan the whole site) there was still author info.

There is also the fact that Google scans your pages and has cached copies of old versions of the source code so just removing the references to an account isn’t enough you need to change it something that isn’t hiding in Google data waiting to be found.

I also went through my sitemap to see if that had references to for example an author page but couldn’t see anything like that.

[AITpro Admin]

Yes, you are correct that any plugin or any theme can display your author link and not the safe one either – you actual username account.  I have seen around 80 plugins that do that crap.  This of course should always be an option and not forced on anyone.  Also since this is a security risk it should also be stated that choosing the option to display the author name is a security risk.

[J Garner]

Can you create a plugin that checks that installed plugins aren’t doing ‘that crap’, like an auditing plugin? 😉

I’d buy it with the number of sites and plugins I have to manage 🙂

[AITpro Admin]

We do not install a plugin until all of the code has been looked at physically.  Then it is installed on a test site and tested for vulnerabilities.  If it passes it gets installed on a Live site.

[AITpro Admin]

BPS Pro already has tools in Pro-Tools that do this.  String Finder, String Replacer/Remover and DB String Finder.  You have to know what you are looking for.  In order to create something that took knowledge out of the equation then all the parameters would have to be included in the check.  Minimum 6 months of research and coding work.  We would not do something like since it is low value/low priority – time sucker for a very small gain.

[Author]

Posts