|
|
|
|
|
|
by nileshk
2607 days ago
|
|
|
If you have enough control of the server it resides on, one of the best things you can do is to deny it access to write to the PHP files of the Wordpress install (which requires that you use WP-CLI via command line to do updates), and setup automatic updates by calling WP-CLI through a cron job or however you want to automate that. When a Wordpress install has write access to its own PHP files, then a vulnerability can do more harm obviously since it can modify the Wordpress install itself and thus more easily "infect" the installation. Denying write access cuts off many attacks from doing significant harm. BTW WP-CLI can also do checksums of your install. I wouldn't fret too much about seeing attempted hack attempts. If you have enough logging turned on for a public web server, you'll see a constant stream of hack attempts for all types of languages / frameworks. I did this the other day and saw what I recognized as a variety of different attacks targeted at PHP, Rails, and Java. Regarding usernames: note that Wordpress will, by default, expose those usernames in things like posts (author's username is revealed). I had to modify my theme to make that stop, and even then I'm not 100% sure it's not leaking somewhere I missed. Maybe you want to do all content editing with a user that has reduced privileges and only use your admin user when necessary. |
|
|
have you checked the REST endpoint?, namely site.tld/wp-json/wp/v2/users
By default all user names are exposed that way.