[Resolved] Username security rules breached

This topic contains 2 replies, has 2 voices, and was last updated by  Keith Taylor 1 year, 9 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #234

    Keith Charlie Taylor
    Keymaster
    Ŧallars: Ŧ 57.68



    Usernames should not be domain names, as this is a common target for hackers.

    We need a procedure for changing WordPress usernames where this rule is breached. It should include redirects for author and profile pages.

    #246

    Keith Charlie Taylor
    Keymaster
    Ŧallars: Ŧ 57.68

    This applies to client websites, and all independent managed websites, as well as the KeĈaTa network.

    #416

    Keith Taylor
    Moderator
    Ŧallars: Ŧ 1004.51

    The procedure now is to report the problem username in my todo list.

    I will liase with the affected user, and change their username to something more acceptable. In most cases, it’s a simple edit of the database. It’s so rare, it doesn’t need anything more elaborate. Similarly, I don’t expect redirects need to be considered, unless they get picked up in a quality review.

    I’ve fixed the username that prompted this specific report. So, I’ve marked it Resolved.

    For other visitors who are interested in this, it relates to a common problem where hackers try brute force attacks to log into your website. There is a famous username that hackers attempt to access poorly protected WordPress websites. The next most common brute force username is your domain name. I’ve certainly had the bad habit of using domain names as usernames for many years. Since Wordfence showed me how often such usernames are attacked, I no longer use them. Also, I don’t allow them on any sites that I host for clients.

    If you are worried about this, I can help you manage it. In fact, if there is enough interest, I’ll publish a short lesson. If you want to test your WordPress website, here is a quick step-by-step:

    1. Install WordFence
    2. Monitor emails for failed login attempts. Also, include a dashboard check for Failed Login attempts in your regular website security checks.
    3. Is the attempt is your domain name? Does it match a current username? If so, replace that username with something that cannot be easily guessed.
Viewing 3 posts - 1 through 3 (of 3 total)

You should Connect to KeČaTa to reply to this topic.


Simply click one of the buttons above to connect using your favorite network. Then, a box will appear here for you to post your reply.

Safe Managed WordPress