Return Home
15th February, 2016

Wordpress And Enumerating Usernames

Below you will find some extracts of code which i have written to demonstrate how to stop these kinds of attacks. The funny thing is i have also put articles on my blog on how to run an attack on a WordPress site so some many call me a bit of a back stabber or ‘a bit of a dick head’, oh well. Well none the less i have still given you this WordPress user enumerating plugin for free so if you don’t use this or a similar one, well then its your own fault.

So how does enumerating work?
When permalinks are enabled, WordPress provides a URL that lists all the posts written by a certain user. For example, the URL http://site.com/wordpress/?author=1? will list all the posts written by the first user (with id 1). However, it will first redirect to a URL containing the username of this user id. In this example, WordPress will redirect to http://dev/wordpress3.9.1/author/adm1n/?.

adm1n is the username of the user with id 1. So, even if the WordPress installation followed security practices and renamed the administrator account, an attacker can use this trick to discover administrative account name.

With this, an attacker can iterate through all the user ids and list all the WordPress users that have at least one post. This represents a security risk that should be addressed, especially since WordPress doesn’t prevent repeated password-guessing attacks.

How can i prevent this?
You have a few ways to prevent someone from using this method on your WordPress site, one of which is by using a plugin which handles these kids of attacks. I have written a little WordPress plugin which you can download below.

This plugin will detect and log brute force attacks against your WordPress site. You won’t get any onscreen dashboard as it will run in the background but it will add statements to your WordPress log so you can then ban those IP addresses. Hundreds of IP address blocking plugins exist out there or simply use htaccess to handle a DENY.

The other simple ways in which you can try to prevent an attack is by the simple three steps below. This won’t by any means stop an attack but will help throw and stall a possible attack. Also bare in mind the permalink structure as discussed above.
• Remove the default WordPress admin user
• Change the WordPress users default ID
• Hide WordPress usernames

Download the code
You can download the code for free by clicking here.