You’re not going to tell me right…of course you’re not!
But did you know unless you’ve taken the necessary steps (or your hosting company/web developer has) a hacker can find out what your username is in a few seconds?
By simply adding the string /?author=(number) to the end of you domain will result in your username being displayed if not protected. Most sites have no more than 2 registered usernames so botnets typically search up to 10 numbers e.g.
In the screen grab below I’ve added the extra string…
I press enter and… tadaaarr! As if by magic the username ‘test1′ appears in the URL string!
Try it out on your own WordPress website, you may need to keep going up in numbers depending on how your website was built, but it should be under ten. A sure sign that this hole has been patched up by your web dev is that you get nothing back, or an error message or even locked out of that site.
I wouldn’t bother trying on our website, as we are protected and you will find yourself blocked from our website for a month and don’t try it on anyone else’s website without permission, as hacking is illegal and your intentions may be misunderstood.
You’re not protected – now what?
OK so you’re site isn’t protected – anyone can find out what your username is, so what?
Did you hear about the botnets attacking WordPress sites with the username ‘admin’ in the news? Once they have a username half the battle is won, they can run scanners like http://wpscan.org/ - to try hundreds of variations of popular passwords in minutes, once they’re in – it’s not worth thinking about.
This hole can be plugged, it’s important that it is fixed as your website is at risk, ask your web developer they should be able to to help – if not get in touch and we can.
Our clients are protected as it’s one of a number of security services we provide.