How to secure a Wordpress installation?

Question

I have installed the following WP plugins at my site:

1. Hide My WP
2. Wordfence free
3. All In One WP Security & Firewall (with 410 points)
4. DNS from CloudFlare (medium settings)
5. Good global hosting, not cheap. My Admin name is like "gfutiewf" and login link like: mysite.com/dfwhc.

That´s all okay, today I see again in log: Anybody at login page try the "gfutiewf" username with bad password...

How? From where he see the login url and admin name?

Answer 1

I'm guessing they were guessing your author ID like so:

http://www.example.com/?author=1

http://www.example.com/?author=2

...

Once found, the WordPress would redirect to:

http://www.example.com/author/myrandomname/

which by default would be your admin name.

One way to solve that would be to change the value of user_nicename column in users table in the database to something else, like 'admin'. That way, the redirect will change to:

http://www.example.com/author/admin/

Answer 2

First off make sure you have the latest version of Hide My WordPress – Security Plugin - currently v1.1.028

Make sure you are not redirecting the old login (ex. wp-login.php to the new login page)

Also are you using Hide My Wp PRO? The current free version only hides the admin and login paths to see if the product is compatible with your WordPress.

To hide all the URLs you need to activate the Ninja mode and the plugin will hide all the paths from your website.

For further help please share your site's name so we can take a look at it.

Hope that helps.