Find answers, ask questions, and connect with our
community around the world.

Forums Forums Web Design WordPress How do hackers get wordpress database user?

  • How do hackers get wordpress database user?

     David updated 1 year, 8 months ago 2 Members · 2 Posts
  • David

    Member
    March 22, 2021 at 4:54 pm

    I occasionally see logs with random ip addresses trying to log in to my site using the database name.

    I can’t imagine how anyone could figure that out in the first place and I’m concerned there is a security hole I need to close.

    Anyone know this is done and how to prevent it?

    MAJOR EDIT:

    I made a mistake saying “database name”. No coffee yet.
    I actually meant: “cpanel user name” i.e. they are trying to log in to my wordpress with my cpanel account user name.

    Its still most likely a wordpress bug somewhere though as no other log shows similar activity.

  • chesbyiii

    Guest
    March 22, 2021 at 4:54 pm

    Depending on your host your install path might reveal your cpanel username and a badly written WordPress plugin could expose it

  • Lucky_No_13

    Guest
    March 22, 2021 at 4:54 pm

    Is it a pseudo random name, or something easy like wpdb?

  • stevoli

    Guest
    March 22, 2021 at 4:54 pm

    If they’re trying to login with your cpanel usernames, and you don’t have those usernames setup in WordPress anywhere, it doesn’t sound like it’s related to WordPress at all. Possibly a data leak at your hosting provider.

  • Edward_Morbius

    Guest
    March 22, 2021 at 4:54 pm

    Wordpress publishes the user names via a JSON endpoint with no authentication: https://wordpress.org/wp-json/wp/v2/users

    I think it’s really stupid, but it’s there.

  • searchcandy

    Guest
    March 22, 2021 at 4:54 pm

    I know in at least a couple of points in the past there have been plugin vulnerabilities that worked on some WP sites where you could [download the config.php](https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-dbmanager-wp-config-php-arbitrary-file-download-2-60/) file…

  • markjaquith

    Guest
    March 22, 2021 at 4:54 pm

    Is your cPanel username in your document root path?

    If so, you may have a path disclosure somewhere on an error page (this is common).

  • kiva-churro

    Guest
    March 22, 2021 at 4:54 pm

    Is you cpanel name in your file path? like /var/www/cpanelname/public_html/

  • StradivariusSas

    Guest
    March 22, 2021 at 4:54 pm

    Easy, the wp-config.php doesn’t have the correct permissions. ( It should be 600).

  • RandomDood420

    Guest
    March 22, 2021 at 4:54 pm

    There used to be a command that would expose the first user of the site’s username. The workaround was to strip that users privileges and make a different account the admin.

  • srmarmalade

    Guest
    March 22, 2021 at 4:54 pm

    If you mean cPanel (as in the hosting control panel software) – the default username follows a predictable pattern based on the site domain. Is that it?

  • diewhilelive

    Guest
    March 22, 2021 at 4:54 pm

    One way to do it is heading over to [mysite.com/wp-json/wp/v2/users](https://mysite.com/wp-json/wp/v2/users) which is an endpoint from the WP REST API. A “fix” for it is usually disabling the REST API completely, supposing you or an external service is not using it.

    Other solution I’ve seen on a couple of sites (usually WooCommerce), is that when you have a big enough customer database, you create a new account for the admin and delete the first one so it doesn’t appear on the endpoint (id 1 tends to be the admin of the site, you can also transfer all uploaded media to the new user when you delete the first one so your media library doesn’t vanish).

  • trulygamers

    Guest
    March 22, 2021 at 4:54 pm

    If they are trying your cpanel username, i am assuming you are talking about your hosting account cpanel, not the wordpress login username. In this case, it’s not about your website, your cpanel username leaked somewhere else, at your hosting provider probably.

    If you are talking about your wordpress database user, than only place they could find it is in wp-config.php file, but if they reach that file they would have your database name and password also.

    If you are talking about your wp-admin login, bots do random attacks all the time, if you used familiar username they could get it anywhere. Usual attacks are with username admin, administrator, your website email address so don’t use that as your wordpress admin account.

  • nolo_me

    Guest
    March 22, 2021 at 4:54 pm

    Usernames shouldn’t be considered secret and good security practices focus on hiding things that actually are, like passwords.

  • Tarr3Vizsla

    Guest
    March 22, 2021 at 4:54 pm

    Why would it matter if they have the username but no password?

Viewing 1 - 15 of 16 replies
Reply to: David
Your information:

Cancel
Original Post
0 of 0 posts June 2018
Now