WordFence version 5.0.9
I run 10 small websites - one is continually the target of brute force hack attempts - I made a new admin log-in using a long/not easily guessed username after learning that user name can be discovered if it is the author of articles - and have WordFence options set as follows:
Immediately lock out invalid usernames Yes
Don't let WordPress reveal valid users in login errors Yes
Prevent users registering 'admin' username if it doesn't exist Yes
Prevent discovery of usernames through '?/author=N' scans Yes
I put long/Strong passwords and have Strong passwords enforced - Violators are locked out for 60 days -
Not sure if there's something else I'm missing, but I worry more when a 'user is locked out" message contains my unique username rather than the usual 'admin' or website name attempts - anything I should be worried about?
Thanks!
Tamrah Jo