Title: Security Question
Last modified: February 15, 2018

---

# Security Question

 *  [dmizesr](https://wordpress.org/support/users/dmizesr/)
 * (@dmizesr)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/security-question-24/)
 * I don’t know where to ask this so I’m starting here.
 * I installed the Sucuri security plugin on WP. It notifies me each time there’s
   a failed login and I get about 20 a day. It tells me the username of the attempted
   login.
 * I recently changed the name of the index.php in the wp-admin folder as well as
   changing the login name to something completely obscure. After about 24 hours
   I started getting security warnings again using the login name I had changed.
   My question is, how in the world did someone get the username? There’s no way
   it could’ve been guessed in less than a few thousand attempts. And also how did
   they figure out the new login page name? I’ve turned off indexes so no one could
   just list the files in the directory. So, where’s the leak?
 * I’d appreciate a pointer in the right direction if this is the wrong place, and
   thanks in advance for the help.
 * DWM

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [Andrew Nevins](https://wordpress.org/support/users/anevins/)
 * (@anevins)
 * WCLDN 2018 Contributor | Volunteer support
 * [8 years, 3 months ago](https://wordpress.org/support/topic/security-question-24/#post-9978505)
 * Usernames are in no way secure and are often public domain.
 *  Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/)
 * (@sterndata)
 * Volunteer Forum Moderator
 * [8 years, 3 months ago](https://wordpress.org/support/topic/security-question-24/#post-9978674)
 * One easy way, unless it’s blocked by a plugin:
 * [http://example.com/wp-json/wp/v2/users](http://example.com/wp-json/wp/v2/users)
 *  Thread Starter [dmizesr](https://wordpress.org/support/users/dmizesr/)
 * (@dmizesr)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/security-question-24/#post-10001499)
 * Thanks. I had no idea. I used a pw generated by WP so I don’t have any concerns
   about it being cracked.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Security Question’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 3 replies
 * 3 participants
 * Last reply from: [dmizesr](https://wordpress.org/support/users/dmizesr/)
 * Last activity: [8 years, 3 months ago](https://wordpress.org/support/topic/security-question-24/#post-10001499)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics