Wordfence - Someone guessed my Wordpress login

[Rob Stone]

Hi Everyone

I have limited login attempts on my site.

Added Wordfence the other day for 2fa

There is no way someone can guess my Wordpress login username but just had a limited login attempt ip blocked for 60 minutes and they are using my wordpress login I.d to try and guess the password.

How on earth did they get the login id?

Is Wordfence 2fa strong enough?

Is there a way to stop whoever it is as they must being using proxies

At the rate they are trying it will take them years to guess my password but its still concerning me they are persistant

Many Thanks everyone

 

[DarkRed]

It was not a guess !

It's likely that you use the author name as a login, many do this.

And you probably have a link to the author page on blog posts. This may be as a link to the author page when Wordpress outputs the author name or in the comments.

Or you index your author pages, so you can find them on Google Site:yoursite/author/

Also there's this: https://www.wpwhitesecurity.com/hide-wordpress-usernames-improve-wordpress-security/

If you use Cloudflare you can creae a page rule for the login page that serves a capcha to every user that visits the page. This will prevent bots from trying.

 

[Rob Stone]

Oh! Blimey that simple

Thanks very much Darkred I will look at the link and sort that out then.

Much appreciated indeed

 

[Ryuzaki]

It's not only that you end up exposing it on author pages, but that the way Wordpress bought into the REST API exposes all of the user accounts too (but not the passwords).

What I do, since I don't use the REST API and don't care if others embed my webpages (I'd rather them use a normal link for obvious reasons), is I force access to the REST API to require authentication. If the viewer isn't logged into the site, they can't see the user accounts.