Skip to main content

Here's a puzzler for the computerheads that know more about Internet skullduggery than I. I haven't engaged in skullduggery for at least 30 years so I'm kind of rusty. Lol.

So I've had an instance of Enterprise / Unlimited Wordpress installed and running on my server for a long time. My server is a Linux machine that I rent from 1and1 / ionos.

For top level administration, I disabled the default admin user and created a different user with admin privileges that I use. This account is under continuous login attack. I'm not terribly worried because the password is a long random string and I have timed lockout measures in place. It's kind of hard to try billions of possibilities when you're locked out for 20 minutes.

What puzzles me is how did they discover the username, which is also a random string? They have the right username. How was it discovered?

Any ideas? I'm really just curious.
That IS interesting.
No idea, but it does sound like perhaps the machine can be asked to provide a user list... which is kinda retro, far as I know.
Lots of room to speculate. Some machines emit periodic emails from root-like accounts (most of my machines send digests of logs, lets-encrypt renewal notices, etc.) Or once upon a time you might have logged in using an unencrypted protocol.

I'm used to seeing several tens of thousands of login attempts per machine per day. And there's lots of other crap being thrown around by bad people who are just hoping that something might stick.
Hmm. Interesting. Yeah, running your own server from home, which I did from about 2003 to 2008 is an education. The attacks were incessant, burning up significant of bandwidth. Back then, the IPs all traced back to China and Korea. Today, the IPs belong to Amazon, but maybe they're spoofed. I dunno. I haven't stayed up on all this stuff.

So I guess that means that attacks and porn use up 95 percent of the Internet's bandwidth and we're only seeing the remaining 5 percent for useful stuff.

Lots of ways for the browser and other things in the chain of how you administer the system to leak that.

Do you run WordFence against that instance? Do you have 2FA?
No, and no. I'm a busy guy and trust Firefox to handle that for me. I assume that https works.

I mean, NOBODY should know that username but me and the server.

Maybe I should change the username to some other random string and see what happens, as an experiment.
That's not a horrible idea but also maybe think about the security of your sites. "But it's https" is to the web what "but I have McAfee" was to PC security.

Necessary but definitely not sufficient.
Aiiieeee 1and1 that's who hosted my site for years and years til I took it down. Off Topic - What's the best cheap web hosting service if I want to put a new site up?

as far as the OP Question I have no idea, but I suspect something like what @Karl Auerbach says... or server userlist file? something like that accessed elsewhere....
Attacks, porn and crypto mining makes up 95% of all computer activity on the planet, I guess.
I really don't want to know the truth, but I suspect that's true.
This thread is a couple of years old, but provides information on how anyone can (or at least used to be able to) find user names in a WP setup:
It's given away in the author API endpoint. Bottom line is don't assume usernames are secure on any platform.
Well, whaddaya know, I was right 🙁 😀
@Kenny Chaffin - We use Digital Ocean. It's fairly inexpensive (but you gotta watch the "backup" storage charge and other ancillary things.) You can get a quite usable Linux system (virtual) for only a few dollars a month.
@Phil Landmeier (ᚠ) - Attacks come in all forms. SSH logins and web stuff (SQL injection attempts or attempts to fetch ../../../../../../../etc/passwd ) are the realm of script kiddies who throw large dictionaries of passwords against usernames that have been accumulated by the sale of old emails.

That stuff largely originates in China (and less so, Russia). One can gain a lot of quiet, if not security, by blocking all IPv4 and IPv6 sources in China and Russia.

There are lots and lots of other attacks that don't get into the logs, like attacks on DNS or things that happen in a datacenter where all the systems are inside the facility firewall - things like ARP poisoning, or exploration via Apple Bonjour or Microsoft CIFS (for which I am partially responsible) and name services. Print spooling is another attack vector that tends to fly below the radar.
Hmm. Thanks for the reminder. I've been pleasantly enjoying not thinking about this shit for almost ten years. But, the "complaints" from my Wordpress installation are getting louder and louder, every day I get them.

I'll have to think about wholesale blocking of address ranges again. Problem is the offending IP's aren't China or Korea, but IPs owned by Amazon.
I should perhaps remind that my original puzzle was "how did the attackers learn the username?" The username is a unique string of random characters, not used anywhere except as the username of a Wordpress user. Not an email user. Not a user anywhere else.

That's my puzzle.
if it's a plain vanilla wordpress install then

HTTPS://blogname.domain/?author=n will send you to the author page for valid values of n (starting at 1)

Plugins like wordfence will block this behaviour.

Does that help explain it?
WIthout knowing more about your specific setup, the answer is, There are leaks. Even in an HTTPS-enabled system. If you think those leaks don't imply other threats to your site's safety, then you're all set.
I get notifications all the time of brute-force attempts against my blogs but you know what those attempts always get wrong?

The username.
@Phil Landmeier (ᚠ) did you check against the info from the reddit link?

Two stand out:
Wpscan can reveal a bunch of juicy details about your wordpress site. Try disabling your feeds ->
It's easy to identify WordPress username. Try this:

Increment 1 to get other usernames on the domain (if available).
All good advice. THANK YOU ALL. Lots to look into now.

I've been away working two days of very physical 12 hour shifts. Soon I must sleep and recharge my elderly body, and then return to the battle. Then, I will delve into all the great info and suggestions above.

I had a feeling there might be answers since I'm not the only person using Wordpress. Lol.