Can user accounts be exposed like WP admin usernames? What damage can be done if compromised?

Over the last couple of weeks, I’ve been getting tons of failed login attempts on my WordPress admin account, as reported by the “Limit Login Attempts Reloaded” plugin. Turns out, my admin username is known—apparently to hackers, it’s easy to find any WordPress username if someone wants to. I read somewhere that Wordpress username is publicly accessible as an author slug or something called User Enumeration.

That got me thinking about my site built with Listing Hive. Since it allows user signups (customers, service providers etc.), can anyone find the usernames of my registered users just like they can with WP admins?

If yes:

1. What steps can I take to protect them?
2. If someone manages to get hold of a user’s username + password, what kind of access do they get?
3. What kind of damage could a hacker potentially cause through those compromised accounts?

Would appreciate any solid advice or best practices. I want to secure the site before opening it to the public. Thanks!

Hi,

Thanks for the details. Please note that HivePress does not have a search function for regular users from the frontend (only vendors and if enabled). Please make sure that the user display feature is disabled in HivePress > Settings > Users. Also, if you don’t need to display vendors, you can disable this feature in HivePress > Settings > Vendors.

If a regular user is hacked in any way, there is no access to damage in the WordPress Dashboard, as it displays users with different roles (subscriber, contributor, etc.). Also, if the Restrict access to the WordPress back-end feature is enabled in HivePress > Settings > Users, only the administrator will have access to the WordPress Dashboard.

I hope it helps