How do hackers workout the WordPress Admin user account?

I noticed recently after installing the Limit Login Attempt plugin (which is a great plugin) that hackers were continually trying to break the WordPress Admin account and they all seemed to know what the WordPress Admin username was, which bugged me.  I wasn’t just using “Admin”, which we all know is the default, I was using a custom Admin username which I thought was making it more secure.

What they were doing was executing the following:

which returns the Admin username in the URL.

The best way to stop this is to add the following in the .htaccess file in your website root directory, underneath what is generated by WordPress.

# Stop Author=1 hack
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

Copyright © 2024