Wordpress Brute Force Attacker knows real admin Username -

I noticed this as well and wrote a blog post about it a while ago: wordpress username leak. To summarize:

The leak is probably here: example.com/author/user_nicename. This page can for example be reached via example.com/?author=1.

WordPress has three username related fields in the database: username, nickname, and user_nicename.

username is the name with which you log in, nickname is the name which should be displayed, and user_nicename is the slug version of username, which is used in the author link.

To fix this, you can set user_nicename to nickname in the database.

I had the same problem and blocked the requests for the author scanning with the following htaccess:

# Stop Author Scanning
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

Recently I have found different path of username leakage.

By default the Yeast SEO plugin makes author-sitemap.xml available with list of authors. This behaviour can be turned off in Search Appereances -> Archives.