How to protect from cyber vulnerabilities from WordPress installations?
We noticed GET function inside protected WordPress installations:
GET /wp-login.php?redirect_to=https%3A%2F%2FmyXXWP.com%2Fwp-admin%2Fnetwork%2Fplugins.php&reauth=1 HTTP/1.1" 200 1988 "-" "-"
Is this a new approach for security and protection as it is attacked double PHP file?
No, this is not a new security measure. The request you see (wp-login.php?reauth=1) is just normal WordPress behavior. It forces a user to log in again when needed.
If your WordPress site is under attack, this request is not protecting it. To improve security, you should enable two-factor authentication (2FA) using a plugin like WP 2FA and install a security plugin such as Wordfence or All In One WP Security & Firewall. These plugins help block brute-force attacks, scan for malware, and provide firewall protection.
Additionally, numerous online guides offer comprehensive steps to secure your WordPress site. For instance, WPBeginner provides an extensive WordPress Security Guide covering topics like keeping WordPress updated, using strong passwords, and implementing two-factor authentication. Similarly, the official WordPress.org site offers a detailed Hardening WordPress guide, which includes recommendations on securing your website through various best practices.
Thank you for the message!
Is there PHP function to hide exposed username as I see that they know all the usernames which I have never seen inside secured web application.
Is there any checker how to disclose username in WordPress installations?
Hi,
How do you know attackers can see all usernames? Do you have some evidence of this?
Here are a bunch of methods you can use:
Start by testing author archives. Visit https://your-domain.com/?author=1 and see if it redirects to https://your-domain.com/author/username/.
Check the REST API by visiting https://your-domain.com/wp-json/wp/v2/users in a browser. If usernames are listed, they are exposed via the API.
You can also use online scanners like wpscan.com or the WPScan CLI to detect username leaks.
Inspect the HTML source of your site. Right-click on a page, select “View Page Source,” and search for author or user_nicename to see if usernames appear in metadata or links.
Test the login form behavior. Enter a random username at wp-login.php and check if the error message distinguishes between “incorrect password” (valid username) and “invalid username.” If it does, it confirms that valid usernames can be guessed.