[wp-hackers] Limit Login Attempts

Chris Williams chris at clwill.com
Thu Apr 25 22:49:15 UTC 2013

Excellent post, Otto.

There is one exception to this, as most here know.  The username "admin"
has been the de facto "super user" for WP for years.  Yes, I know that's
no longer the case.  But as I have found on my sites, this has lead to 99%
of the brute force attacks I'm seeing being against the "admin" username.
This is true on sites where admin has never posted, and even on those
where the admin account does not exist.

This is just to say, if you haven't removed the "admin" username, you're
probably asking for trouble.


On 4/24/13 5:07 PM, "Otto" <otto at ottodestruct.com> wrote:

>On Wed, Apr 24, 2013 at 6:20 PM, Mark Costlow <cheeks at swcp.com> wrote:
>First, note that users without published posts will not get the
>redirect from the ?author=N requests. Only published authors will. So
>don't publish using admin credentials and this is mitigated.
>On a wider note, however, usernames are not meant to be considered
>private information, and efforts to hide or treat them as private are
>misguided and potentially harmful. I realize that this is
>counter-intuitive, so allow me to explain:

Trimmed only for brevity...

More information about the wp-hackers mailing list