MemberMarch 22, 2021 at 4:54 pm
I occasionally see logs with random ip addresses trying to log in to my site using the database name.
I can’t imagine how anyone could figure that out in the first place and I’m concerned there is a security hole I need to close.
Anyone know this is done and how to prevent it?
I made a mistake saying “database name”. No coffee yet.
I actually meant: “cpanel user name” i.e. they are trying to log in to my wordpress with my cpanel account user name.
Its still most likely a wordpress bug somewhere though as no other log shows similar activity.
chesbyiiiGuestMarch 22, 2021 at 4:54 pm
Depending on your host your install path might reveal your cpanel username and a badly written WordPress plugin could expose it
Lucky_No_13GuestMarch 22, 2021 at 4:54 pm
Is it a pseudo random name, or something easy like wpdb?
stevoliGuestMarch 22, 2021 at 4:54 pm
If they’re trying to login with your cpanel usernames, and you don’t have those usernames setup in WordPress anywhere, it doesn’t sound like it’s related to WordPress at all. Possibly a data leak at your hosting provider.
Edward_MorbiusGuestMarch 22, 2021 at 4:54 pm
Wordpress publishes the user names via a JSON endpoint with no authentication: https://wordpress.org/wp-json/wp/v2/users
I think it’s really stupid, but it’s there.
searchcandyGuestMarch 22, 2021 at 4:54 pm
I know in at least a couple of points in the past there have been plugin vulnerabilities that worked on some WP sites where you could [download the config.php](https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-dbmanager-wp-config-php-arbitrary-file-download-2-60/) file…
markjaquithGuestMarch 22, 2021 at 4:54 pm
Is your cPanel username in your document root path?
If so, you may have a path disclosure somewhere on an error page (this is common).
kiva-churroGuestMarch 22, 2021 at 4:54 pm
Is you cpanel name in your file path? like /var/www/cpanelname/public_html/
StradivariusSasGuestMarch 22, 2021 at 4:54 pm
Easy, the wp-config.php doesn’t have the correct permissions. ( It should be 600).
RandomDood420GuestMarch 22, 2021 at 4:54 pm
There used to be a command that would expose the first user of the site’s username. The workaround was to strip that users privileges and make a different account the admin.
srmarmaladeGuestMarch 22, 2021 at 4:54 pm
If you mean cPanel (as in the hosting control panel software) – the default username follows a predictable pattern based on the site domain. Is that it?
diewhileliveGuestMarch 22, 2021 at 4:54 pm
One way to do it is heading over to [mysite.com/wp-json/wp/v2/users](https://mysite.com/wp-json/wp/v2/users) which is an endpoint from the WP REST API. A “fix” for it is usually disabling the REST API completely, supposing you or an external service is not using it.
Other solution I’ve seen on a couple of sites (usually WooCommerce), is that when you have a big enough customer database, you create a new account for the admin and delete the first one so it doesn’t appear on the endpoint (id 1 tends to be the admin of the site, you can also transfer all uploaded media to the new user when you delete the first one so your media library doesn’t vanish).
trulygamersGuestMarch 22, 2021 at 4:54 pm
If they are trying your cpanel username, i am assuming you are talking about your hosting account cpanel, not the wordpress login username. In this case, it’s not about your website, your cpanel username leaked somewhere else, at your hosting provider probably.
If you are talking about your wordpress database user, than only place they could find it is in wp-config.php file, but if they reach that file they would have your database name and password also.
If you are talking about your wp-admin login, bots do random attacks all the time, if you used familiar username they could get it anywhere. Usual attacks are with username admin, administrator, your website email address so don’t use that as your wordpress admin account.
nolo_meGuestMarch 22, 2021 at 4:54 pm
Usernames shouldn’t be considered secret and good security practices focus on hiding things that actually are, like passwords.
Tarr3VizslaGuestMarch 22, 2021 at 4:54 pm
Why would it matter if they have the username but no password?