Here's a puzzler for the computerheads that know more about Internet skullduggery than I. I haven't engaged in skullduggery for at least 30 years so I'm kind of rusty. Lol.
So I've had an instance of Enterprise / Unlimited Wordpress installed and running on my server for a long time. My server is a Linux machine that I rent from 1and1 / ionos.
For top level administration, I disabled the default admin user and created a different user with admin privileges that I use. This account is under continuous login attack. I'm not terribly worried because the password is a long random string and I have timed lockout measures in place. It's kind of hard to try billions of possibilities when you're locked out for 20 minutes.
What puzzles me is how did they discover the username, which is also a random string? They have the right username. How was it discovered?
Any ideas? I'm really just curious.