Display the WordPress admin or editor username

Home Forums BulletProof Security Pro Display the WordPress admin or editor username

Viewing 15 posts - 16 through 30 (of 57 total)
  • Author
    Posts
  • #6081
    AITpro Admin
    Keymaster

    You can do this with the BPS Pro Pro-Tools cURL scan/Multi-page scanner.

    Use the 10 page simultaneous cURL scanner

    Enter A Search String
    the user account name

    Enter URL Paths to Scan
    10 different pages on your site

    #6082
    AITpro Admin
    Keymaster

    FYI the cURL scanner is the same thing that hackers use to find anything they want to find.  😉  I’ve said it before and I will say it again – it is impossible to hide anything on the Internet.  😉

    If you are displaying your actual username anywhere on your site it is very simple to find that info.

    #6083
    J Garner
    Participant

    Giving us the tools to hack our own sites 😉 I’ll consider it educational 🙂

    #6085
    AITpro Admin
    Keymaster

    Well I did not include that attacking code in that Pro-Tool and only included the recon portion for legitimate purposes only, but yeah adding a few more lines of code and you have a hacker tool that will find vulnerable sites and attack them/hack them.  😉

    #6087
    J Garner
    Participant

    I think I’ll just follow your lead and only check that my own sites are safe 🙂

    #6139
    Vandenhaas
    Participant

    Just ran the cURL test and no “username” was found. This is good. The “nickname” was found  in source code 0-1-2-3. I guess that is to be expected. The problem is that every single one of my attacks is logged in the BPS Login-In Security logs with the “username”, not the “nickname”. I have the account set up properly, always had it configured properly:

    Username   X2ER5P8VU9W4
    First Name  AITpro
    Last Name  Admin
    Nickname (required)  AITpro Admin
    Display name publicly as  AITpro Admin

    Thanks for the reference to cURL test. Didnt know about that.

    But Im still at a loss to explain how they are getting the “username”. Any other suggestions?

     

    #6140
    AITpro Admin
    Keymaster

    If you are not displaying the actual username on the site then the user name is being guessed or it is being found some other way.  Let’s say your computer was hacked.  Then anything you do on your computer can be stolen/retrieved, or you are using a Proxy to log into your site.  Then anything you do when connected to that Proxy can be stolen/retrieved. Let’s say your Browser has been hijacked.  Then anything you do when using that Browser can be stolen/retrieved.

    Most likely it is something simple and not the worst case scenarios mentioned above since instead of seeing failed login attempts your website would be hacked.

    #6144
    AITpro Admin
    Keymaster

    Out of curiosity is the Admin account getting locked out?

    #6145
    Vandenhaas
    Participant

    I had 2 admin accounts active. I got a notice from BPS. One account was locked, the other was not. I was not the one to generate the failed logins. I was not trying to login and made mistakes loging in.

    I logged in successfully with the main account I use regularly. The log says the older account is LOCKED, but the one admin account I used to log in was NOT LOCKED. I then created a new admin account -properly- and that got flagged in another report from BPS, but it also was NOT LOCKED.

    I have had no problem logging in, but BPS has listed logs with the older and also new “username” , and from 2 different IP’s and hostname servers – none of which are my home IP or hosting servers. Unless Hostgator uses host servers have a German ( .de ) designation.

    vserver543.dns-was.de   – m25s20.vlinux.de

    Thanks

    #6146
    AITpro Admin
    Keymaster

    The one Admin account is known and needs to be deleted.  The other is not known so it is ok.  Delete any known admin accounts and delete the entry on the Login Security page since that account will no longer exist and you do not need to store a record of that account in your database anymore.

    #6147
    J Garner
    Participant

    I found that a plugin I used actually provided the ability to render the post info and author info differently and having changed the main site didn’t think to check the plugins but on one page (so you’d have to scan the whole site) there was still author info.

    There is also the fact that Google scans your pages and has cached copies of old versions of the source code so just removing the references to an account isn’t enough you need to change it something that isn’t hiding in Google data waiting to be found.

    I also went through my sitemap to see if that had references to for example an author page but couldn’t see anything like that.

    #6148
    AITpro Admin
    Keymaster

    Yes, you are correct that any plugin or any theme can display your author link and not the safe one either – you actual username account.  I have seen around 80 plugins that do that crap.  This of course should always be an option and not forced on anyone.  Also since this is a security risk it should also be stated that choosing the option to display the author name is a security risk.

    #6150
    J Garner
    Participant

    Can you create a plugin that checks that installed plugins aren’t doing ‘that crap’, like an auditing plugin? 😉

    I’d buy it with the number of sites and plugins I have to manage 🙂

    #6151
    AITpro Admin
    Keymaster

    We do not install a plugin until all of the code has been looked at physically.  Then it is installed on a test site and tested for vulnerabilities.  If it passes it gets installed on a Live site.

    #6152
    AITpro Admin
    Keymaster

    BPS Pro already has tools in Pro-Tools that do this.  String Finder, String Replacer/Remover and DB String Finder.  You have to know what you are looking for.  In order to create something that took knowledge out of the equation then all the parameters would have to be included in the check.  Minimum 6 months of research and coding work.  We would not do something like since it is low value/low priority – time sucker for a very small gain.

Viewing 15 posts - 16 through 30 (of 57 total)
  • You must be logged in to reply to this topic.