www programming

Just arrived an email from my host provider:
[quote]ti informiamo che sul plugin Contact Form 7 di WordPress, che i nostri sistemi automatici di gestione hanno rilevato essere installato su uno o più dei tuoi siti, è emersa una grave vulnerabilità.[/quote]

grave vulnerabilità = severe security issue

in fact, this plugin 5 millions install, Contact Form 7, was coming with a security issue, that leave your site to be an easy target for hackers:
[quote]Removes control, separator, and other types of special characters from filename to fix the unrestricted file upload vulnerability issue.[/quote]
5.3.2 fixed this aspect but: are we sure that an hacker, do not placed now a file somewhere into our system, if the contact form (not in my case) was allowed to upload attachments?

So i just would like to remember an assertion, coming from the old bruteforce topic:
[quote]Hint for cool people: do not overload WordPress activating multiple not useful features, thinking that for this you'll be more secure. If the code of plugins you use, the server configuration, and the cms are secure, maybe (maybe not) you do not need to much to pretend to stay secure, except the above. This is it on this online example since ever.[/quote]

The great thing about hackers is they will always teach us how to keep our websites and server secure. lol.

I do like your Strike Brute Force login method much better using WP Security than the .htaccess method really. It is simple and clean. I highly advise all readers to go check that out and use it. And anyone reading who may be wondering what we are talking about, have a read here [url]https://www.axew3.com/w3/forums/viewtopic.php?f=2&t=80[/url]. Admin has out together a wonderful article and how to for securing out installs.

On another note, I am utterly shocked that phpBB3 does not have a separate Display name and Login name option. I did find a old mod a guy created years ago but it isn't plugin form. I pondered trying to update it and create a plugin but that won't happen. I have to much going on as it is. [url]https://www.phpbb.com/customise/db/mod/separate_login_and_user_name/[/url]. This mod was abandoned long ago sadly enough and phpBB never saw it important enough to add it as a security feature.

You have completely reason, also because it is annoying to get emails informing you that your account has been locked due to bruteforce attack. Also, if there is an undiscovered vulnerability, may the fact that an admin account is not exposed and not known, nullify the security bug. It depend.

Days ago, i discovered into an old domain i own where a very old vBulletin was running, that someone has been able to rewrite the htaccess on root, and put files on the server root.
The hack was redirecting any user visiting the site to a malicious site.
The fact that they have been able to overwrite the htaccess and upload files into root, impressed me. The php version running on server was the php vulnerable 7.1version. Together with the old of years vBulletin, has been a joke for them to break into. In this case, the fact i had or not exposed admin accounts, was not relevant. They bypassed any security wall using a vulnerability on server, and on the old vBulletin bugs.

So your way to do is the best practice, mine is a (dangerous) fun game, that by the way, go on from years now here on this site, that i check and update constantly.

I do agree with you 100% on the strike system. I would argue anyone that does not want to use that method that you describe in your how to post elsewhere in this forum needs to try this method I describe then for security sakes. I have had many brute force attempts prior to my testing of Display username changes and your method using WP Security stopped it every time.

Some people are strong minded and wish not to add another plugin and edit a .htaccess for one reason or the other, to each their own I suppose who am I to judge, and this trick here should suffice. Following the link I provided above they give another example or two of what else can help or "Do the Trick" but to me the .htaccess works good enough if not use WP Security and the brute force strike method that you have told us how to do.

Nice readings! About the aspect of exposed usernames and admins (into any system): yes it is good practice to not have an exposed username known as system admin. Anyway, for example, on this running example it exist the username admin, and have all privileges. The problem for anybody that like to break into using credentials, is that a strike login substantially nullify any chance. After 3 failed logins the firewall block the access. There are attempts i see on log, or because notified by the firewall: i do not change the admin pass by 4 or 5 years now, i also ignore what it was, whenever i want i will change! I inform also, that axew3 is admin in phpBB and WP here. Unfortunately there are strike logins all around here, so you need to guess to be so lucky.

Resuming: with an username on the hands, you can't do too much if you do not have possibility to bruteforce it, assuming the wrapper where you move into is secure (in this case phpBB and WP). And do not forget where they run into, that is your server.

I forgot to mention where I learned this fix this morning as I was very tired and ready for bed before I posted. To give credit where credit is due I learned the fix from the folks over at [url]https://www.wp-tweaks.com/hackers-can-find-your-wordpress-username/[/url]

I do not work for them or represent them in any way shape or form.