Securing Admin Accounts – Username Discovery

We’ve had Limit Login Attempts installed for some weeks now, and the number of brute force attempts occurring on wp-admin/wp-login is pretty amazing. At first the attempts were all with the username “Admin,” which doesn’t exist on our site, so I considered it an annoyance but not much of a threat. However, now we’re seeing lockouts occurring with other named admin user accounts and I’m completely at a loss of understanding for how the attackers are deducing the usernames of these accounts.

No content on our site is authored by anyone in particular and I can’t find any other location on our site where these usernames are publicly published.

Any idea as to how usernames might be discoverable?

Solutions Collecting From Web of "Securing Admin Accounts – Username Discovery"

If you have pretty permalinks enabled WordPress will redirect all calls to /?author=1 to the author archive with the user name, eg.: /author/bob/. And then the visitor will know the author name.

Use Login Lockdown, that plugin does not reset accounts, it will block IP addresses.

Clever buggers. I think I am just going to redirect requests to /?author=. Sound reasonable? Something like:

add_action( 'template_redirect', 'my_author_redirect' );
function my_author_redirect() {
    if ( is_author() ) {
        wp_redirect( get_bloginfo( 'url' ), 301 );