Over the last couple of weeks, I’ve been getting tons of failed login attempts on my WordPress admin account, as reported by the “Limit Login Attempts Reloaded” plugin. Turns out, my admin username is known—apparently to hackers, it’s easy to find any WordPress username if someone wants to. I read somewhere that Wordpress username is publicly accessible as an author slug or something called User Enumeration.
That got me thinking about my site built with Listing Hive. Since it allows user signups (customers, service providers etc.), can anyone find the usernames of my registered users just like they can with WP admins?
If yes:
- What steps can I take to protect them?
- If someone manages to get hold of a user’s username + password, what kind of access do they get?
- What kind of damage could a hacker potentially cause through those compromised accounts?
Would appreciate any solid advice or best practices. I want to secure the site before opening it to the public. Thanks!