Hacker knows usernames .. how?


I have had multiple bruteforce attempts to access one of my websites today. Fortunately Defender alerted me to these and i have used IP banning to lock them out (thank you wpmudev!). Looking at the logs i can see the hacker tried various usernames to access the website. It looks like they then cycled through passwords trying to gain access but fortunately they were unable as all the passwords are high strength, and because defender stopped them at 5 failed attempts. My question is, how did the hacker know a list of registered usernames to try? Where would they have got this info? And is it 'hideable' to prevent future target attacks?

All plugins and themes etc are up to date.

Thanks in advance


  • Nebu John
    • Staff

    Hi Matt,

    I hope you're well today and thank you for reaching out to us!

    Usually, this happens when you are having commonly used usernames or if you have a username visible in your site. Brute force attacks will commonly use automated tools to guess various combinations of usernames and passwords until they find the correct input.

    Since you have Defender installed and Login protection enabled, you are safe from Brute Force attacks. Make sure that you use strong passwords, longer the password, the more time it will typically take to find the correct input.

    On further investigating, I identified that username could be easily fetched from your sites RSS feed. To hide this, you will have to disable your RSS feeds. This can be done by manually adding the below-given code into 'functions.php' file in your theme folder.

    function wpb_disable_feed() {
    wp_die( __('No feed available,please visit our <a href="'. get_bloginfo('url') .'">homepage</a>!') );
    add_action('do_feed', 'wpb_disable_feed', 1);
    add_action('do_feed_rdf', 'wpb_disable_feed', 1);
    add_action('do_feed_rss', 'wpb_disable_feed', 1);
    add_action('do_feed_rss2', 'wpb_disable_feed', 1);
    add_action('do_feed_atom', 'wpb_disable_feed', 1);
    add_action('do_feed_rss2_comments', 'wpb_disable_feed', 1);
    add_action('do_feed_atom_comments', 'wpb_disable_feed', 1);

    Alternatively, you could use any plugin that helps to disable RSS feeds. 'Disable Feeds' is one such plugin, you could download it from the below link.

    Kind Regards,
    Nebu John

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.