It works with any WordPress blog, whether or not the username physically shows up in a blog post. It doesn't work if the username has never been used as the author of a post, but it will reveal any username that has been assigned to a post. It will always reveal the original usernames set up when the user accounts were set up, unless you have gone into the user table and changed the user_nicename column. The article I pointed to shows how it is done. The display_name column is editable on the user editor page, but the user_nicename is not.
Originally Posted by iowadawg
I have used Limit Login Attempts for a couple of years and noticed that recently some hackers were trying to log in with the custom usernames I set up, even though they did not appear on any pages or code used in the blogs. That is when I started digging into it to find out how the names were revealed. This is a security flaw in WordPress.
Whether you are using the original default 'admin' account or not, if it exists it is a vulnerability. If you have an older blog, it could still be the default administrator account.
You are correct. Users have been waiting for the WP development team to allow renaming of the wp-admin directory for several years. They seem to be too focused on adding bells and whistles that almost no one uses.
Originally Posted by Andy101
Last edited by TopDogger; 21 April, 2013 at 14:46 PM.
"Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin