Home › Forums › BulletProof Security Pro › Display the WordPress admin or editor username
Tagged: Display nickname, Display username
- This topic has 56 replies, 4 voices, and was last updated 9 years, 2 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
You can do this with the BPS Pro Pro-Tools cURL scan/Multi-page scanner.
Use the 10 page simultaneous cURL scanner
Enter A Search String
the user account nameEnter URL Paths to Scan
10 different pages on your siteAITpro AdminKeymasterFYI the cURL scanner is the same thing that hackers use to find anything they want to find. 😉 I’ve said it before and I will say it again – it is impossible to hide anything on the Internet. 😉
If you are displaying your actual username anywhere on your site it is very simple to find that info.
J GarnerParticipantGiving us the tools to hack our own sites 😉 I’ll consider it educational 🙂
AITpro AdminKeymasterWell I did not include that attacking code in that Pro-Tool and only included the recon portion for legitimate purposes only, but yeah adding a few more lines of code and you have a hacker tool that will find vulnerable sites and attack them/hack them. 😉
J GarnerParticipantI think I’ll just follow your lead and only check that my own sites are safe 🙂
VandenhaasParticipantJust ran the cURL test and no “username” was found. This is good. The “nickname” was found in source code 0-1-2-3. I guess that is to be expected. The problem is that every single one of my attacks is logged in the BPS Login-In Security logs with the “username”, not the “nickname”. I have the account set up properly, always had it configured properly:
Username X2ER5P8VU9W4
First Name AITpro
Last Name Admin
Nickname (required) AITpro Admin
Display name publicly as AITpro AdminThanks for the reference to cURL test. Didnt know about that.
But Im still at a loss to explain how they are getting the “username”. Any other suggestions?
AITpro AdminKeymasterIf you are not displaying the actual username on the site then the user name is being guessed or it is being found some other way. Let’s say your computer was hacked. Then anything you do on your computer can be stolen/retrieved, or you are using a Proxy to log into your site. Then anything you do when connected to that Proxy can be stolen/retrieved. Let’s say your Browser has been hijacked. Then anything you do when using that Browser can be stolen/retrieved.
Most likely it is something simple and not the worst case scenarios mentioned above since instead of seeing failed login attempts your website would be hacked.
AITpro AdminKeymasterOut of curiosity is the Admin account getting locked out?
VandenhaasParticipantI had 2 admin accounts active. I got a notice from BPS. One account was locked, the other was not. I was not the one to generate the failed logins. I was not trying to login and made mistakes loging in.
I logged in successfully with the main account I use regularly. The log says the older account is LOCKED, but the one admin account I used to log in was NOT LOCKED. I then created a new admin account -properly- and that got flagged in another report from BPS, but it also was NOT LOCKED.
I have had no problem logging in, but BPS has listed logs with the older and also new “username” , and from 2 different IP’s and hostname servers – none of which are my home IP or hosting servers. Unless Hostgator uses host servers have a German ( .de ) designation.
vserver543.dns-was.de – m25s20.vlinux.de
Thanks
AITpro AdminKeymasterThe one Admin account is known and needs to be deleted. The other is not known so it is ok. Delete any known admin accounts and delete the entry on the Login Security page since that account will no longer exist and you do not need to store a record of that account in your database anymore.
J GarnerParticipantI found that a plugin I used actually provided the ability to render the post info and author info differently and having changed the main site didn’t think to check the plugins but on one page (so you’d have to scan the whole site) there was still author info.
There is also the fact that Google scans your pages and has cached copies of old versions of the source code so just removing the references to an account isn’t enough you need to change it something that isn’t hiding in Google data waiting to be found.
I also went through my sitemap to see if that had references to for example an author page but couldn’t see anything like that.
AITpro AdminKeymasterYes, you are correct that any plugin or any theme can display your author link and not the safe one either – you actual username account. I have seen around 80 plugins that do that crap. This of course should always be an option and not forced on anyone. Also since this is a security risk it should also be stated that choosing the option to display the author name is a security risk.
J GarnerParticipantCan you create a plugin that checks that installed plugins aren’t doing ‘that crap’, like an auditing plugin? 😉
I’d buy it with the number of sites and plugins I have to manage 🙂
AITpro AdminKeymasterWe do not install a plugin until all of the code has been looked at physically. Then it is installed on a test site and tested for vulnerabilities. If it passes it gets installed on a Live site.
AITpro AdminKeymasterBPS Pro already has tools in Pro-Tools that do this. String Finder, String Replacer/Remover and DB String Finder. You have to know what you are looking for. In order to create something that took knowledge out of the equation then all the parameters would have to be included in the check. Minimum 6 months of research and coding work. We would not do something like since it is low value/low priority – time sucker for a very small gain.
-
AuthorPosts
- You must be logged in to reply to this topic.