Here's a puzzler for the computerheads that know more about Internet skullduggery than I. I haven't engaged in skullduggery for at least 30 years so I'm kind of rusty. Lol.

So I've had an instance of Enterprise / Unlimited Wordpress installed and running on my server for a long time. My server is a Linux machine that I rent from 1and1 / ionos.

For top level administration, I disabled the default admin user and created a different user with admin privileges that I use. This account is under continuous login attack. I'm not terribly worried because the password is a long random string and I have timed lockout measures in place. It's kind of hard to try billions of possibilities when you're locked out for 20 minutes.

What puzzles me is how did they discover the username, which is also a random string? They have the right username. How was it discovered?

Any ideas? I'm really just curious.

@shuttersparks Lots of ways for the browser and other things in the chain of how you administer the system to leak that.

Do you run WordFence against that instance? Do you have 2FA?

@kahomono No, and no. I'm a busy guy and trust Firefox to handle that for me. I assume that https works.

I mean, NOBODY should know that username but me and the server.

Maybe I should change the username to some other random string and see what happens, as an experiment.

@shuttersparks That's not a horrible idea but also maybe think about the security of your sites. "But it's https" is to the web what "but I have McAfee" was to PC security.

Necessary but definitely not sufficient.

Sign in to participate in the conversation
☠️ librepunk ☠️

a friendly general instance for coders, queers, and leftists!