Some time ago I published a video showing how a brute force attack could be carried out on a site under WordPress with a free tool called WPScan. An attack of this type basically consists of a list of words that are tested one after another as possible passwords until one allows access.
This is why a basic protection against this type of attack is to use rare passwords that include uppercase letters, lowercase letters, numbers and signs. In this way, the probability that the password is found in a dictionary (word list) will be almost nil and an attacker will have to spend so many hours on the subject that it will not make sense.
But to be able to log in it is also necessary to know the userand getting this information can be simple since it is not hidden by default. Even WPScan can with a quick scan list all configured users on a blog.
But another effective way to get it manually is to enter the variables go and author in the url like this www.spamloco.net/?author=1
As a result the articles written by the author will be shown with id = 1 and in the URL or the title the username you use for login:
User 1 does not necessarily have to be the blog administrator and in fact the value 1 may not exist, so you can increase the number to discover new created users.
How could the user hide in the author = id URL?
The solution is quite simple and Oscar Mogarra comments on it in this article on Chema Alonso's blog.
It is simply a variable in the database called user_nicename and that allows modifying the permalink of author page. In other words, when modifying it in the URL, the user used for the login will no longer be displayed.
I found it useful to comment it as an extra protection for the sites, it can also be useful in case you are using the same user in other online services.
For modify this value it is necessary to access the database, so before I recommend you make a backup. If you use cPanel it is very easy to do it with the option Backup Wizard and then downloading the MySQL database from the blog.
To modify the database, we can access phpMyAdmin from the same cPanel and look for the wp_users table:
Then we click Edit on the user you want to modify:
And finally we change the value of the column user_nicename by another nice name or a fake user to show in the author URL:
Of course there are other, more elegant ways to protect yourself against brute force attacks in WordPress, this is just one more layer of security. And it is useless to hide the user in the URL if in the end we use an obvious user such as admin, root or something like that, the ideal would be to change the user for a little common that nobody can guess.
With the plugins help We can also limit login attempts that can be made from the same IP, one that works very well is Limit Login Attempts; Another is Better WP Security which also allows you to easily change login URLs so that attackers cannot find them easily.
It is also possible to add a double verification with plugins such as Google Authenticator and Latch, one of the best that allows you to activate or deactivate the site login when you need it. Latch also works with other widely used platforms today such as Joomla, Drupal and PrestaShop.
Lastly, for extreme situations where login attempts don't stop I leave you this code which you can include in the .htaccess file to block all login attempts:
Note: change spamloco.net for your site.
This code will also block us and to log in we would have to access by FTP to edit the file, so it is not very practical but it can be useful for emergencies.
I also leave you an excellent article by Security by Default where it is explained how to block access to the login by IP so that only from ours can it be accessed even if it's a dynamic IP.
Related: When logging into WordPress beware of public WiFi