攻击者是这样拿到你的Wordpress 【管理员用户名】的！！

admin 不怕
密码 我都不知道

太感谢楼主了，我终于找到我博客的用户名了！

/batch/v1
/oembed/1.0
/oembed/1.0/embed
/oembed/1.0/proxy
/akismet/v1
/akismet/v1/key
/akismet/v1/settings
/akismet/v1/stats
/akismet/v1/stats/(?P<interval>[\w+])
/akismet/v1/alert
/jetpack/v4
/jetpack/v4/plans
/jetpack/v4/products
/jetpack/v4/marketing/survey
/jetpack/v4/jitm
/jetpack/v4/connection/test
/jetpack/v4/connection/test-wpcom
/jetpack/v4/rewind
/jetpack/v4/scan
/jetpack/v4/connection/url
/jetpack/v4/connection/data
/jetpack/v4/connection/register
/jetpack/v4/connection/owner
/jetpack/v4/tracking/settings
/jetpack/v4/connection
/jetpack/v4/connection/user
/jetpack/v4/site
/jetpack/v4/site/features
/jetpack/v4/site/products
/jetpack/v4/site/purchases
/jetpack/v4/site/benefits
/jetpack/v4/site/activity
/jetpack/v4/identity-crisis/confirm-safe-mode
/jetpack/v4/identity-crisis/start-fresh
/jetpack/v4/identity-crisis/migrate
/jetpack/v4/module/all
/jetpack/v4/module/all/active
/jetpack/v4/module/(?P<slug>[a-z\-]+)
/jetpack/v4/module/(?P<slug>[a-z\-]+)/active
/jetpack/v4/module/(?P<slug>[a-z\-]+)/data
/jetpack/v4/module/(?P<service>[a-z\-]+)/key/check
/jetpack/v4/settings
/jetpack/v4/settings/(?P<slug>[a-z\-]+)
/jetpack/v4/options/(?P<options>[a-z\-]+)
/jetpack/v4/updates/plugins
/jetpack/v4/notice/(?P<notice>[a-z\-_]+)
/jetpack/v4/plugins
/jetpack/v4/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
/jetpack/v4/plugins/akismet/activate
/jetpack/v4/plugin/(?P<plugin>[a-z\/\.\-_]+)
/jetpack/v4/widgets/(?P<id>[0-9a-z\-_]+)
/jetpack/v4/verify-site/(?P<service>[a-z\-_]+)
/jetpack/v4/verify-site/(?P<service>[a-z\-_]+)/(?<keyring_id>[0-9]+)
/jetpack/v4/service-api-keys/(?P<service>[a-z\-_]+)
/jetpack/v4/mobile/send-login-email
/jetpack/v4/setup/questionnaire
/jetpack/v4/licensing/error
/jetpack/v4/jetpack_crm
/jetpack/v4/verify_xmlrpc_error
/jetpack/v4/remote_authorize
/jetpack/v4/connection/plugins
/jetpack/v4/connection/reconnect
/wpcom/v2
/wpcom/v2/business-hours/localized-week
/wpcom/v2/admin-menu
/wpcom/v2/external-media/list/(?P<service>google_photos|pexels)
/wpcom/v2/external-media/copy/(?P<service>google_photos|pexels)
/wpcom/v2/external-media/connection/(?P<service>google_photos)
/wpcom/v2/instagram-gallery/connect-url
/wpcom/v2/instagram-gallery/connections
/wpcom/v2/instagram-gallery/gallery
/wpcom/v2/mailchimp
/wpcom/v2/mailchimp/groups
/wpcom/v2/podcast-player
/wpcom/v2/resolve-redirect/?(?P<url>.+)?
/wpcom/v2/search
/wpcom/v2/tweetstorm/gather
/wpcom/v2/tweetstorm/parse
/wpcom/v2/tweetstorm/generate-cards
/wpcom/v2/gutenberg/available-extensions
/wpcom/v2/hello
/wpcom/v2/memberships/status
/wpcom/v2/memberships/product
/wpcom/v2/memberships/products
/wpcom/v2/publicize/connections
/wpcom/v2/publicize/connection-test-results
/wpcom/v2/publicize/services
/wpcom/v2/service-api-keys/(?P<service>[a-z\-_]+)
/wpcom/v2/subscribers/count
/jetpack/v4/hints
/wp/v2
/wp/v2/posts
/wp/v2/posts/(?P<id>[\d]+)
/wp/v2/posts/(?P<parent>[\d]+)/revisions
/wp/v2/posts/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
/wp/v2/posts/(?P<id>[\d]+)/autosaves
/wp/v2/posts/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/pages
/wp/v2/pages/(?P<id>[\d]+)
/wp/v2/pages/(?P<parent>[\d]+)/revisions
/wp/v2/pages/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
/wp/v2/pages/(?P<id>[\d]+)/autosaves
/wp/v2/pages/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/media
/wp/v2/media/(?P<id>[\d]+)
/wp/v2/media/(?P<id>[\d]+)/post-process
/wp/v2/media/(?P<id>[\d]+)/edit
/wp/v2/blocks
/wp/v2/blocks/(?P<id>[\d]+)
/wp/v2/blocks/(?P<id>[\d]+)/autosaves
/wp/v2/blocks/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/feedback
/wp/v2/feedback/(?P<id>[\d]+)
/wp/v2/feedback/(?P<id>[\d]+)/autosaves
/wp/v2/feedback/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/jp_pay_order
/wp/v2/jp_pay_order/(?P<id>[\d]+)
/wp/v2/jp_pay_order/(?P<id>[\d]+)/autosaves
/wp/v2/jp_pay_order/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/jp_pay_product
/wp/v2/jp_pay_product/(?P<id>[\d]+)
/wp/v2/jp_pay_product/(?P<id>[\d]+)/autosaves
/wp/v2/jp_pay_product/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/types
/wp/v2/types/(?P<type>[\w-]+)
/wp/v2/statuses
/wp/v2/statuses/(?P<status>[\w-]+)
/wp/v2/taxonomies
/wp/v2/taxonomies/(?P<taxonomy>[\w-]+)
/wp/v2/categories
/wp/v2/categories/(?P<id>[\d]+)
/wp/v2/tags
/wp/v2/tags/(?P<id>[\d]+)
/wp/v2/users
/wp/v2/users/(?P<id>[\d]+)
/wp/v2/users/me
/wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords
/wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords/(?P<uuid>[\w\-]+)
/wp/v2/comments
/wp/v2/comments/(?P<id>[\d]+)
/wp/v2/search
/wp/v2/block-renderer/(?P<name>[a-z0-9-]+/[a-z0-9-]+)
/wp/v2/block-types
/wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)
/wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)/(?P<name>[a-zA-Z0-9_-]+)
/wp/v2/settings
/wp/v2/themes
/wp/v2/plugins
/wp/v2/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
/wp/v2/block-directory/search
/wp-site-health/v1
/wp-site-health/v1/tests/background-updates
/wp-site-health/v1/tests/loopback-requests
/wp-site-health/v1/tests/dotorg-communication
/wp-site-health/v1/tests/authorization-header
/wp-site-health/v1/directory-sizes
我可以提供一套类似的给你。就看你能力了！

在当前主题目录的functions.php文件里添加以下代码：

那么怎么屏蔽这个呢，哪位大佬来说说

万年用admin

没事我又不是在重要人物

好厉害啊

好的吧，还真的可以
但是并没有什么鸟必要，我博客名就是登录用户名

的确有点厉害

我的防火墙也经常拦截到一些莫名其妙的攻击，不知道是干嘛的

404 Not Found
nginx

厉害，改了名毫无用处

好像没太多用啊 用户名很多

伤害不高。侮辱性极强。。。

我不是wp

403 error 怎么搞？

404

太感谢楼主了，我终于找到我博客的用户名了！

随机生成的20位密码，就算知道了用户名，爆破恐怕需要一段时间

测试下签名第一个

{"code":"rest_disabled","message":"REST API disabled.","data":{"status":401}}
搞了个，显示这玩意

REST API disabled  说明你已经禁用了哇。

我的貌似返回的是403，被防火墙拦住了

约90% 的站点管理员用户名都是admin

返回403

那正好我属于那10%

{"code":"rest_user_cannot_view","message":"Sorry, you are not allowed to list users.","data":{"status":401}}

试了下VIR的。https://virmach.com/wp-json/wp/v2/users/
{"code":"rest_cannot_access","message":"DRA: Only authenticated users can access the REST API.","data":{"status":401}}

厉害了，大佬

发现用处了

{"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}
装WAF插件可以拦截

"抱歉，您不能列出用户。"

无事发生

其实吧，针对wp用户名的攻击不是走的rest api，不信你新建一篇文章，找个小号发布出去 等一会去后台就会发现有人用小号用户名去撞密码。

rest api罢了，不会有人不关这玩意吧

404 Not Found
nginx

感谢分享，这就去设置权限

You are not authorized to perform this action.

404

无所谓反正20位数字大小写字母特殊字符的密码，我都记不住。让她破吧

名字admin，密码64位随机大小写字母数字符号

那么怎么屏蔽这个呢，哪位大佬来说说

不用wp保平安

/batch/v1
/oembed/1.0
/oembed/1.0/embed
/oembed/1.0/proxy
/akismet/v1
/akismet/v1/key
/akismet/v1/settings
/akismet/v1/stats
/akismet/v1/stats/(?P<interval>[\w+])
/akismet/v1/alert
/jetpack/v4
/jetpack/v4/plans
/jetpack/v4/products
/jetpack/v4/marketing/survey
/jetpack/v4/jitm
/jetpack/v4/connection/test
/jetpack/v4/connection/test-wpcom
/jetpack/v4/rewind
/jetpack/v4/scan
/jetpack/v4/connection/url
/jetpack/v4/connection/data
/jetpack/v4/connection/register
/jetpack/v4/connection/owner
/jetpack/v4/tracking/settings
/jetpack/v4/connection
/jetpack/v4/connection/user
/jetpack/v4/site
/jetpack/v4/site/features
/jetpack/v4/site/products
/jetpack/v4/site/purchases
/jetpack/v4/site/benefits
/jetpack/v4/site/activity
/jetpack/v4/identity-crisis/confirm-safe-mode
/jetpack/v4/identity-crisis/start-fresh
/jetpack/v4/identity-crisis/migrate
/jetpack/v4/module/all
/jetpack/v4/module/all/active
/jetpack/v4/module/(?P<slug>[a-z\-]+)
/jetpack/v4/module/(?P<slug>[a-z\-]+)/active
/jetpack/v4/module/(?P<slug>[a-z\-]+)/data
/jetpack/v4/module/(?P<service>[a-z\-]+)/key/check
/jetpack/v4/settings
/jetpack/v4/settings/(?P<slug>[a-z\-]+)
/jetpack/v4/options/(?P<options>[a-z\-]+)
/jetpack/v4/updates/plugins
/jetpack/v4/notice/(?P<notice>[a-z\-_]+)
/jetpack/v4/plugins
/jetpack/v4/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
/jetpack/v4/plugins/akismet/activate
/jetpack/v4/plugin/(?P<plugin>[a-z\/\.\-_]+)
/jetpack/v4/widgets/(?P<id>[0-9a-z\-_]+)
/jetpack/v4/verify-site/(?P<service>[a-z\-_]+)
/jetpack/v4/verify-site/(?P<service>[a-z\-_]+)/(?<keyring_id>[0-9]+)
/jetpack/v4/service-api-keys/(?P<service>[a-z\-_]+)
/jetpack/v4/mobile/send-login-email
/jetpack/v4/setup/questionnaire
/jetpack/v4/licensing/error
/jetpack/v4/jetpack_crm
/jetpack/v4/verify_xmlrpc_error
/jetpack/v4/remote_authorize
/jetpack/v4/connection/plugins
/jetpack/v4/connection/reconnect
/wpcom/v2
/wpcom/v2/business-hours/localized-week
/wpcom/v2/admin-menu
/wpcom/v2/external-media/list/(?P<service>google_photos|pexels)
/wpcom/v2/external-media/copy/(?P<service>google_photos|pexels)
/wpcom/v2/external-media/connection/(?P<service>google_photos)
/wpcom/v2/instagram-gallery/connect-url
/wpcom/v2/instagram-gallery/connections
/wpcom/v2/instagram-gallery/gallery
/wpcom/v2/mailchimp
/wpcom/v2/mailchimp/groups
/wpcom/v2/podcast-player
/wpcom/v2/resolve-redirect/?(?P<url>.+)?
/wpcom/v2/search
/wpcom/v2/tweetstorm/gather
/wpcom/v2/tweetstorm/parse
/wpcom/v2/tweetstorm/generate-cards
/wpcom/v2/gutenberg/available-extensions
/wpcom/v2/hello
/wpcom/v2/memberships/status
/wpcom/v2/memberships/product
/wpcom/v2/memberships/products
/wpcom/v2/publicize/connections
/wpcom/v2/publicize/connection-test-results
/wpcom/v2/publicize/services
/wpcom/v2/service-api-keys/(?P<service>[a-z\-_]+)
/wpcom/v2/subscribers/count
/jetpack/v4/hints
/wp/v2
/wp/v2/posts
/wp/v2/posts/(?P<id>[\d]+)
/wp/v2/posts/(?P<parent>[\d]+)/revisions
/wp/v2/posts/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
/wp/v2/posts/(?P<id>[\d]+)/autosaves
/wp/v2/posts/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/pages
/wp/v2/pages/(?P<id>[\d]+)
/wp/v2/pages/(?P<parent>[\d]+)/revisions
/wp/v2/pages/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
/wp/v2/pages/(?P<id>[\d]+)/autosaves
/wp/v2/pages/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/media
/wp/v2/media/(?P<id>[\d]+)
/wp/v2/media/(?P<id>[\d]+)/post-process
/wp/v2/media/(?P<id>[\d]+)/edit
/wp/v2/blocks
/wp/v2/blocks/(?P<id>[\d]+)
/wp/v2/blocks/(?P<id>[\d]+)/autosaves
/wp/v2/blocks/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/feedback
/wp/v2/feedback/(?P<id>[\d]+)
/wp/v2/feedback/(?P<id>[\d]+)/autosaves
/wp/v2/feedback/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/jp_pay_order
/wp/v2/jp_pay_order/(?P<id>[\d]+)
/wp/v2/jp_pay_order/(?P<id>[\d]+)/autosaves
/wp/v2/jp_pay_order/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/jp_pay_product
/wp/v2/jp_pay_product/(?P<id>[\d]+)
/wp/v2/jp_pay_product/(?P<id>[\d]+)/autosaves
/wp/v2/jp_pay_product/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/types
/wp/v2/types/(?P<type>[\w-]+)
/wp/v2/statuses
/wp/v2/statuses/(?P<status>[\w-]+)
/wp/v2/taxonomies
/wp/v2/taxonomies/(?P<taxonomy>[\w-]+)
/wp/v2/categories
/wp/v2/categories/(?P<id>[\d]+)
/wp/v2/tags
/wp/v2/tags/(?P<id>[\d]+)
/wp/v2/users
/wp/v2/users/(?P<id>[\d]+)
/wp/v2/users/me
/wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords
/wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords/(?P<uuid>[\w\-]+)
/wp/v2/comments
/wp/v2/comments/(?P<id>[\d]+)
/wp/v2/search
/wp/v2/block-renderer/(?P<name>[a-z0-9-]+/[a-z0-9-]+)
/wp/v2/block-types
/wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)
/wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)/(?P<name>[a-zA-Z0-9_-]+)
/wp/v2/settings
/wp/v2/themes
/wp/v2/plugins
/wp/v2/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
/wp/v2/block-directory/search
/wp-site-health/v1
/wp-site-health/v1/tests/background-updates
/wp-site-health/v1/tests/loopback-requests
/wp-site-health/v1/tests/dotorg-communication
/wp-site-health/v1/tests/authorization-header
/wp-site-health/v1/directory-sizes
我可以提供一套类似的给你。就看你能力了！

不明觉厉

我这种自己都不记得密码的人，它弄到了我也无法

这个信息狠有用，如果站长用自己常用网名，且密码已经是明文在外，基本被攻破就是分分钟的事情

[{"id":1,"name":"gongyi","url":"","description":"","link":"https:\/\/www.zhujiceping.com\/author\/admin\/","slug":"admin","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/d2ad946411bb7848e873d0c3588bfe45?s=24&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/d2ad946411bb7848e873d0c3588bfe45?s=48&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/d2ad946411bb7848e873d0c3588bfe45?s=96&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/www.zhujiceping.com\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/www.zhujiceping.com\/wp-json\/wp\/v2\/users"}]}}]

利用XMLRPC接口攻击啊？我直接把XMLRPC给关了，cloudflare那边还用防火墙拦了，稳当的

WP的API，文章都是admin，给别人随便破吧

admin

明白了，谢谢！已上Cloudflare防火墙。

在当前主题目录的functions.php文件里添加以下代码：

NB，一试就知道了

牛啊  真的显示出来了