Changing Display Name For Security?

[DjPorkchop73]

Hello all!

I made a discovery on my install that I am sure is old news to you all but new to me.

I changed my Display name so it did not match my login name. I QUICKLY realized that that little trick was not going to stop a hacker from finding out my real username. No big deal really. With a very strong password what's to worry? Well, I suppose some will worry anyhow (like I do).

So how do they do it? They go to http://(yourblog.com) and add a /?author=1 to it and tah dah! It shows them your Real username. How did I stop it from happening again? I altered my .htaccess file. You can try this at your own blog by typing in your url and appending the /?author=1 at the end of your url. Verify that it actually worked as well by viewing your access logs.

Find the very last line of you .htaccess file (empty line) and add:

Code: Select all

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

That should do the trick for you. If a user is not in the admin area and the auth is appended, it will simply redirect them back to your home page. There are other ways to solve it as well but I think this is the easiest way if one has access to their .htaccess file.

Take care all and have a very great day / evening! #GetWellSoonWorld

[DjPorkchop73]

I forgot to mention where I learned this fix this morning as I was very tired and ready for bed before I posted. To give credit where credit is due I learned the fix from the folks over at https://www.wp-tweaks.com/hackers-can-f ... -username/

I do not work for them or represent them in any way shape or form.

[axew3]

Nice readings! About the aspect of exposed usernames and admins (into any system): yes it is good practice to not have an exposed username known as system admin. Anyway, for example, on this running example it exist the username admin, and have all privileges. The problem for anybody that like to break into using credentials, is that a strike login substantially nullify any chance. After 3 failed logins the firewall block the access. There are attempts i see on log, or because notified by the firewall: i do not change the admin pass by 4 or 5 years now, i also ignore what it was, whenever i want i will change! I inform also, that axew3 is admin in phpBB and WP here. Unfortunately there are strike logins all around here, so you need to guess to be so lucky.

Resuming: with an username on the hands, you can't do too much if you do not have possibility to bruteforce it, assuming the wrapper where you move into is secure (in this case phpBB and WP). And do not forget where they run into, that is your server.

[DjPorkchop73]

I do agree with you 100% on the strike system. I would argue anyone that does not want to use that method that you describe in your how to post elsewhere in this forum needs to try this method I describe then for security sakes. I have had many brute force attempts prior to my testing of Display username changes and your method using WP Security stopped it every time.

Some people are strong minded and wish not to add another plugin and edit a .htaccess for one reason or the other, to each their own I suppose who am I to judge, and this trick here should suffice. Following the link I provided above they give another example or two of what else can help or "Do the Trick" but to me the .htaccess works good enough if not use WP Security and the brute force strike method that you have told us how to do.

[axew3]

You have completely reason, also because it is annoying to get emails informing you that your account has been locked due to bruteforce attack. Also, if there is an undiscovered vulnerability, may the fact that an admin account is not exposed and not known, nullify the security bug. It depend.

Days ago, i discovered into an old domain i own where a very old vBulletin was running, that someone has been able to rewrite the htaccess on root, and put files on the server root.
The hack was redirecting any user visiting the site to a malicious site.
The fact that they have been able to overwrite the htaccess and upload files into root, impressed me. The php version running on server was the php vulnerable 7.1version. Together with the old of years vBulletin, has been a joke for them to break into. In this case, the fact i had or not exposed admin accounts, was not relevant. They bypassed any security wall using a vulnerability on server, and on the old vBulletin bugs.

So your way to do is the best practice, mine is a (dangerous) fun game, that by the way, go on from years now here on this site, that i check and update constantly.

[DjPorkchop73]

The great thing about hackers is they will always teach us how to keep our websites and server secure. lol.

I do like your Strike Brute Force login method much better using WP Security than the .htaccess method really. It is simple and clean. I highly advise all readers to go check that out and use it. And anyone reading who may be wondering what we are talking about, have a read here viewtopic.php?f=2&t=80. Admin has out together a wonderful article and how to for securing out installs.

On another note, I am utterly shocked that phpBB3 does not have a separate Display name and Login name option. I did find a old mod a guy created years ago but it isn't plugin form. I pondered trying to update it and create a plugin but that won't happen. I have to much going on as it is. https://www.phpbb.com/customise/db/mod/ ... user_name/. This mod was abandoned long ago sadly enough and phpBB never saw it important enough to add it as a security feature.