Don’t Give Your Admin User Name Away

During the last month, my personal website had 67,068 brute force attacks blocked. A brute force attack is when some hacker is making guesses at your username and password so they can bet access to your site. This is one of the reasons why WordPress tells you NOT to use the default “Admin” for your username. That makes one less thing for the hacker to figure out.

But out of the box, WordPress has the REST API enabled and, unless you turn if off, hackers can easily request a list of user ids from your WordPress site, revealing the Admin user name. How do you tell if your WordPress installation is opening revealing the admin account?

Append “/wp-json/wp/v2/users” to your website address.

IE: www.yoursite.com/wp-json/wp/v2/users.

For example, if a hacker tries going to www.davidriewe.com/wp-json/wp/v2/users they will get

{“code”:”rest_cannot_access”,”message”:”DRA: Only authenticated users can access the REST API.”,”data”:{“status”:401}}

Which is ok, non authenticated users do not need to access the rest API on my website. They shouldn’t be allowed access on your site either.

Blocking REST API

This can be done with a plugin. I used “Disable REST API” by Dave McHale

David Riewe

David Riewe

Internet Consultant skilled in WordPress, HTML, Javascript, PHP, Search Engine Optimization (SEO), web development, and e-commerce.

Leave a Reply

Your email address will not be published.