Hacker immediately found nicename

LearningWP123, hi.

There are many ways to find out this info, especially if you have not tried to somehow hide it, for example, like this:

{"id":4,"name":"Steve Milano","url":"http:\/\/ushsta.org","description":"","link":"http:\/\/ushsta.org\/author\/NC44 8p\/","slug":"NC44 8p","avatar_urls":{"24":"http:\/\/0.gravatar.com\/avatar\/6c5cb0ebd3011837ca486b591aed2daa?s=24&d=mm&r=g","48":"http:\/\/0.gravatar.com\/avatar\/6c5cb0ebd3011837ca486b591aed2daa?s=48&d=mm&r=g","96":"http:\/\/0.gravatar.com\/avatar\/6c5cb0ebd3011837ca486b591aed2daa?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/ushsta.org\/wp-json\/wp\/v2\/users\/4"}],"collection":[{"href":"http:\/\/ushsta.org\/wp-json\/wp\/v2\/users"}]}}

And this is not quite the correct approach to the issue – to change the login/name/etc. Better to focus on cutting off that malicious requests and reducing server load.

LearningWP123, yeah, true. If you want to trick the attacker, then create an unprivileged fake account, change the author of all pages/posts etc. to him and hide REST API v2 endpoints from public viewing. If you do everything correctly, you will see how the brute-force attack unfolds and it will be aimed at a fake user.

But still, it’s better to decrease this amount of requests and don’t play hide-n-seek with a bot – you’ll lose this game, sooner or later.

LearningWP123, solution depends on the technical side of the issue. For example, if your website is located on a VPS/DS that you manage yourself, then you can install software like firewall + fail2ban or any WAF you want. If it’s too complicated for you and/or your website is running on any shared hosting, then you can try so-called “security plugins” with the brute-force attacks block as an option.

LearningWP123, you’re welcome 🙂