Issue - Malicious Harvesting Of Usernames from WP

16 replies
Dear Friends,

Long time no see. Hope all is well.

I have noticed that USERNAMES from WordPress installations are being harvested by malicious people and their robots. Most malicious attempts are coming from Eastern and Northern European regions.

After harvesting USERNAMES, they tried to brute force entry into WP Dashboard using those USERNAMES via the login area. I monitor this using Limit Login WP Plugins.

This issue is chronic and needs to be addressed as there are thousands of WP installations by Warriors.

What I have been doing (below) were not enough to stop the malicious harvesting of usernames :
1. All Posts and Pages do not contain poster names.
2. Visitor Registration for the sites are disabled.
3. All Users are registered manually by me via WP Dashboard
4. All WP Databases are installed manually
5. All WP Database Tables have custom prefixes and not the default WP prefix.

How do they harvest usernames and what further steps should I take to stop this?

I appreciate all ideas. Thank you.
#harvesting #issue #malicious #usernames
  • Profile picture of the author sprucehill
    I am very curious about this, too.

    I have 2 WP sites, and use Wordfence to ban any IP for 60 days after 4 incorrect login attempts. However, I noticed last week when I checked the log on one of the sites, that the username some hackers were attempting to login with was actually correct. How did they get this?

    I do not use dictionary words, my usernames are at least 35 characters long consisting of a random string of upper and lowercase letters, numbers and symbols. My passwords are are also a random string of at least 45 characters.

    I use Admin for the "nickname" for my username, so the real username cannot be seen on any posts or pages, and I am the only user. I also install WP and the database manually and change the table prefix. I am reasonably sure that no one can actually login to my sites because of my super-strong passwords, but I am wondering how they got the usernames.
    {{ DiscussionBoard.errors[9894483].message }}
  • Profile picture of the author Chris Lee
    I use a plugin called Login Lockdown https://wordpress.org/plugins/login-lockdown/.

    That blocks an IP address from your site after a set amount of incorrect login attempts.
    {{ DiscussionBoard.errors[9894500].message }}
    • Profile picture of the author sprucehill
      Originally Posted by azmanar View Post

      Now I know how they harvested usernames. They did it manually or by using some tools.

      If we View Source the Page or Post on WP, search for this line :
      Code:
      <meta property="article:author" content="http://domain.com/author/username/" />
      Is there a way of stopping WP from producing the meta property="article:author" on all Pages or Posts?
      I viewed the source code on all pages and posts on my 2 WP sites, and I do not have this line anywhere. And there is nowhere in any of the source code that shows my "username" (I am using the same theme on both sites; perhaps this particular theme does not show that line). I could understand it being harvested if it showed in the source code like that, but it doesn't on mine.

      Originally Posted by Tim Franklin View Post

      Just the Tip of the ICE BURG...

      The one thing that puzzles me is how many people either don't know or don't seem to care enough to do something about it, There was a half way decent WSO covering this a while back and the guy did not sell many copies of the product, (it did not solve no where near as many problems as it should have, but it was better than a lot of other products out there)

      Yet, the guy had a hard time selling his products.
      I have purchased a few WSOs on this subject, and not one has ever detailed anything that I wasn't already doing in some form. I am constantly looking for new ways to keep my sites secure, and I am open to any new (as opposed to rehashed) ideas. I have never been hacked - yet, but that doesn't mean it couldn't happen in the future.

      Originally Posted by Talltom1 View Post

      I just finished updating the htaccess file on all of the wp and magento sites on my server. The code that I entered blocks access to the login pages on any of the sites except from 1 or 2 specific IP addresses that are defined in the htaccess file.

      When somebody not on the authorized IP list attempts to access the wp-login or wp-admin page, they get a 404 not found error.
      I have done this before. However, my ISP frequently changes my IP address, and it was a real pain to have to go in and change the .htaccess every time my IP changed. It wouldn't be so bad, because right now I only have 2 WP sites, but I plan to add more soon and it would take a huge amount of time.

      In using Wordfence, I have also tried white-listing my current and previous IPs and blocking everything else. But, then when my IP changes I have to delete Wordfence from the plugin files in order to access my site, and then reinstall it again. That also gets to be a real pain.

      Is there some other solution for when your IP changes frequently?

      Originally Posted by Chris Lee View Post

      I use a plugin called Login Lockdown https://wordpress.org/plugins/login-lockdown/.

      That blocks an IP address from your site after a set amount of incorrect login attempts.
      I already do the same thing with Wordfence.
      {{ DiscussionBoard.errors[9898721].message }}
      • Profile picture of the author azmanar
        Originally Posted by sprucehill View Post

        I viewed the source code on all pages and posts on my 2 WP sites, and I do not have this line anywhere. And there is nowhere in any of the source code that shows my "username" (I am using the same theme on both sites; perhaps this particular theme does not show that line). I could understand it being harvested if it showed in the source code like that, but it doesn't on mine.
        Hi Sprucehill,

        Thanks. I sent a message to the theme developer about this.

        But do your WP Usernames get harvested or not?

        edit : yup. You had your usernames harvested, as stated in your earlier response.

        So they must've been harvesting usernames even without the theme like mine exposing it.
        Signature
        === >>> Tomorrow Should Be Better Than Today

        {{ DiscussionBoard.errors[9898733].message }}
        • Profile picture of the author sprucehill
          Originally Posted by azmanar View Post

          Hi Sprucehill,

          Thanks. I sent a message to the theme developer about this.

          But do your WP Usernames get harvested or not?
          Yes, they do. I just noticed this on my logs last week. And since it is not showing up in the viewable source code, I am very puzzled as to where they are getting them.
          {{ DiscussionBoard.errors[9898737].message }}
  • Profile picture of the author Forhad
    I recommend you to use "iThemes Security" WP plugin. It will help you to stop malicious people and their robots. This is the easiest, most effective way to secure WordPress in seconds.
    Signature

    Fan Page Robot: Automated Software to Grow Your Fan Pages
    Autopilot, Intelligent, Big Data, SEO-benefits, Easy-to-use.
    Social Media Autoposter + Booster
    WSO: Fan Page Robot Deal

    {{ DiscussionBoard.errors[9895267].message }}
    • Profile picture of the author Talltom1
      I just finished updating the htaccess file on all of the wp and magento sites on my server. The code that I entered blocks access to the login pages on any of the sites except from 1 or 2 specific IP addresses that are defined in the htaccess file.

      When somebody not on the authorized IP list attempts to access the wp-login or wp-admin page, they get a 404 not found error.

      So far, very effective.

      What I'm wondering about is how somebody here made the connection between WF usernames, and malicious login attempts. How was that link made?

      Tom
      Signature

      {{ DiscussionBoard.errors[9895518].message }}
      • Profile picture of the author OnlineStoreHelp
        Originally Posted by Talltom1 View Post

        I just finished updating the htaccess file on all of the wp and magento sites on my server. The code that I entered blocks access to the login pages on any of the sites except from 1 or 2 specific IP addresses that are defined in the htaccess file.

        When somebody not on the authorized IP list attempts to access the wp-login or wp-admin page, they get a 404 not found error.

        So far, very effective.

        What I'm wondering about is how somebody here made the connection between WF usernames, and malicious login attempts. How was that link made?

        Tom
        Care to share the code you used for your HTaccess file for us to copy... ?
        {{ DiscussionBoard.errors[9896249].message }}
        • Profile picture of the author jfalxr
          Originally Posted by OnlineStoreHelp View Post

          Care to share the code you used for your HTaccess file for us to copy... ?
          Would like to know about this too..

          Thanks
          {{ DiscussionBoard.errors[9896996].message }}
          • Profile picture of the author azmanar
            Hi,

            Thanks for sharing ideas. I really thought this thread would not receive any attention at all.

            Been very careful to not expose usernames online in post or pages, yet they still managed to harvest the usernames.

            Now I know how they harvested usernames. They did it manually or by using some tools.

            If we View Source the Page or Post on WP, search for this line :
            Code:
            <meta property="article:author" content="http://domain.com/author/username/" />
            Is there a way of stopping WP from producing the meta property="article:author" on all Pages or Posts?
            Signature
            === >>> Tomorrow Should Be Better Than Today

            {{ DiscussionBoard.errors[9898525].message }}
            • Profile picture of the author ripsnorta2
              If they're brute forcing their way into your WP Admin area, the problem is not the usernames. Your passwords are not strong enough.

              Others have suggested the plugins that block after a number of attempts. That normally would be enough to prevent a brute force.

              But these days it doesn't take very long at all to crack an 8 character password, especially if it's a dictionary word.

              I would suggest finding a plugin that forces all passwords to be strong ones. That is they should be:
              • minimum of 10 characters
              • must have both upper and lower case
              • must have one number
              • must have at least one non standard character !@#%^&*
              • not be something dumb like p@ssword

              Another thought:

              If they are still finding usernames and passwords, it may be that they have somehow hacked your server (not necessarily just the blog) and are looking into your database and at your PHP files. Go into your control panel and change that password too.

              If a hacker has had any quality time with your server, they may have added malicious code into the server itself or your blog install. It wouldn't be too hard to insert some PHP code into WP to intercept login attempts and send the details to the hacker.

              A complete WP reinstall would be your best move here.

              I'd also log a support request to your host and get them to look into it. If it's still happening the server itself may be compromised.
              {{ DiscussionBoard.errors[9898720].message }}
              • Profile picture of the author azmanar
                Originally Posted by ripsnorta2 View Post

                If they're brute forcing their way into your WP Admin area, the problem is not the usernames. Your passwords are not strong enough.

                Others have suggested the plugins that block after a number of attempts. That normally would be enough to prevent a brute force.

                But these days it doesn't take very long at all to crack an 8 character password, especially if it's a dictionary word.

                I would suggest finding a plugin that forces all passwords to be strong ones. That is they should be:
                • minimum of 10 characters
                • must have both upper and lower case
                • must have one number
                • must have at least one non standard character !@#%^&*
                • not be something dumb like p@ssword
                Thanks for highlighting this.

                Now my passwords have always been with the minimum of 14 characters but usually more than that. Min 3 numbers, 3 Uppercaps, 3 Lowercaps and 3 symbols plus additional characters. It would take some time to crack. And I always changed them every 2 months or so. No English dictionary words used.

                I had 1 WP site hacked once. So I wrote something about it here : http://www.warriorforum.com/blogs/az...han-sorry.html

                Originally Posted by ripsnorta2 View Post


                If they are still finding usernames and passwords, it may be that they have somehow hacked your server (not necessarily just the blog) and are looking into your database and at your PHP files. Go into your control panel and change that password too.

                If a hacker has had any quality time with your server, they may have added malicious code into the server itself or your blog install. It wouldn't be too hard to insert some PHP code into WP to intercept login attempts and send the details to the hacker.

                A complete WP reinstall would be your best move here.

                I'd also log a support request to your host and get them to look into it. If it's still happening the server itself may be compromised.
                Very, very good advice that all of us should be aware of.
                Signature
                === >>> Tomorrow Should Be Better Than Today

                {{ DiscussionBoard.errors[9898754].message }}
            • Profile picture of the author Zenoth
              Originally Posted by azmanar View Post

              Hi,

              Thanks for sharing ideas. I really thought this thread would not receive any attention at all.

              Been very careful to not expose usernames online in post or pages, yet they still managed to harvest the usernames.

              Now I know how they harvested usernames. They did it manually or by using some tools.

              If we View Source the Page or Post on WP, search for this line :
              Code:
              <meta property="article:author" content="http://domain.com/author/username/" />
              Is there a way of stopping WP from producing the meta property="article:author" on all Pages or Posts?
              You are probably using a SEO plugin that generates this meta tag (such as Yoast SEO, All in all SEO pack, etc.).

              Even if bots harvest the usernames, you should not have any problems if your theme and plugins are well coded (even if they reach the wordpress dashboard), except if they manage to guess the password of an administrator.

              By default, a registered user in WordPress has the "subscriber" role, a role that does not allow him to make very much damage (maybe to write some spam comments).

              There are a lot of big blogs based on WordPress which display the names of the registered users without problems.
              Of course, if you have a membership site, might be a less enjoyable situation if your members passwords are permanently hacked.
              In this case, you can use a plugin to force your members to have strong passwords (containing letters, numbers and some symbols).

              As someone mentioned before, use the "iThemes Security" plugin to redirect the common wp-login to another URL. This way, you will make harder for bots to find the login URL.

              The iThemes Security plugin has a lot of useful settings to improve the security of your site. I recommend it with confidence.
              Signature
              {{ DiscussionBoard.errors[9898986].message }}
  • Profile picture of the author Tim Franklin
    Just the Tip of the ICE BURG...

    90 percent of WordPress website operators do not realize the level of danger that their sites are exposed to every day, There are some products out there that are decent at slowing down the damage, but its a drop in the bucket.

    Right now as you might expect there is no 100percent guaranteed method of stopping everything that is going on in the background.

    Even a half way decent product only stop's about 12 percent of the issues that are common to wordpress installations.

    (IF your website is not under attack right now) Its likely that your not getting enough traffic or competition...
    The user name thing is one little thing, there are tons of much more serious issues that again most wordpress operators do not even realize is happening.

    Just have a look at your server logs, (that is the only way you can really see what is going on and once you do that you will have an entirely different outlook on protecting your website from bad traffic.
    Bad traffic can kill your blog, (search engines, will de-list you or bury you so deep in the search results you will never see the light of day)

    Adsense, ???

    If you have not been banned yet, you will unless you fix the issues, right now its almost impossible to do that, unless you spend some money on professional protection, its definitely something that you should be aware of and take steps to protect your investment of time and money.

    The one thing that puzzles me is how many people either don't know or don't seem to care enough to do something about it, There was a half way decent WSO covering this a while back and the guy did not sell many copies of the product, (it did not solve no where near as many problems as it should have, but it was better than a lot of other products out there)

    Yet, the guy had a hard time selling his products.

    Thanks for posting this thread we need to have a lot more discussions about these types of problems, )
    Signature
    Bitcoin | Crypto | Software Development | iOS | Android | AI Crypto |
    {{ DiscussionBoard.errors[9895598].message }}
  • Profile picture of the author KenW3
    Originally Posted by azmanar View Post

    Been very careful to not expose usernames online in post or pages, yet they still managed to harvest the usernames.

    Now I know how they harvested usernames. They did it manually or by using some tools.
    Try this: SLD.TLD/?author=1
    (where SLD Second Level Domain is your domain name and TLD Top Level Domain is your extension)
    Some of my WP installs return a result, some don't.

    For those that return a result, you should be able to cycle through all of the site's usernames by changing the numeral (Author=2, Author=3, etc.). For a large number of sites or a large number of usernames, I suppose this could be turned into a script.

    Hovering your mouse over the By line may show a user name URL if an author is shown for an article.

    It may be old, but is still a good primer: Hardening WordPress


    EDIT: I looked at the sites not returning a username for the author= query and the common element was a plugin, the free version of Wordfence
    {{ DiscussionBoard.errors[9898897].message }}
    • Profile picture of the author azmanar
      Originally Posted by KenW3 View Post

      Try this: SLD.TLD/?author=1
      (where SLD Second Level Domain is your domain name and TLD Top Level Domain is your extension)
      Some of my WP installs return a result, some don't.

      For those that return a result, you should be able to cycle through all of the site's usernames by changing the numeral (Author=2, Author=3, etc.). For a large number of sites or a large number of usernames, I suppose this could be turned into a script.

      Hovering your mouse over the By line may show a user name URL if an author is shown for an article.

      It may be old, but is still a good primer: Hardening WordPress


      EDIT: I looked at the sites not returning a username for the author= query and the common element was a plugin, the free version of Wordfence
      Ken Thanks !

      Your short and sharp statement is SPOT ON !

      Very helpful.
      Signature
      === >>> Tomorrow Should Be Better Than Today

      {{ DiscussionBoard.errors[9898969].message }}

Trending Topics