Prevent WordPress Username Enumeration

Prevent WordPress Username Enumeration

Introduction

One of the first things you do when auditing a WordPress website is checking for ways to enumerate the admin username. In cases where the admin username is revealed, it’s pretty common to see the WordPress login page taking a large number of hits from brute force attacks against that username.

With Astra Web Application Firewall installed on our clients’ websites, I am easily able to observe this through the Login Activity feature which logs all the login attempts made, including successful attempts as well as the failed attempts that got blocked by Astra after a certain number of tries.

In this article, I will talk about some common attacks used by hackers and some measures you can take to prevent Username Enumeration in WordPress.

Common Attacks

The common methods deployed by hackers when attempting username enumeration in WordPress are:

1. Author Archives

If permalinks are enabled, in many WordPress installations it is possible to enumerate all the WordPress usernames iterating through the author archives. Whenever a post is published, the username or alias is shown as the author. For example, the URL http://site.com/?author=1 will show all the posts from user id 1. Attackers can abuse this functionality to figure out which usernames are available on the site.  — Acunetix

In this attack, hackers add author=n to the website URL, as shown below.

https://domain.com/?author=1

The request will be redirected to the author’s page with the corresponding user ID.

https://domain.com/author/admin_username

Note: The ID 1 usually represents the admin.

2. REST API

WordPress includes a REST API that can be used to list the information about the registered users on a WordPress installation. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.  — Acunetix

In this attack, hackers access the WordPress domain by adding /wp-json/wp/v2/users to the end of the URL, as shown below.

https://domain.com/wp-json/wp/v2/users

It outputs something like the following:

[{  
  "id":1,
  "name":"admin",
  "url":"",
  "description":"",
  "link":"http:\/\/...\/author\/admin\/",
  "slug":"admin",
  "avatar_urls":{  
     "24":"http:\/\/1.gravatar.com\/avatar\/...",
     "48":"http:\/\/1.gravatar.com\/avatar\/...",
     "96":"http:\/\/1.gravatar.com\/avatar\/..."
  },
  "meta":[  

  ],
  "_links":{  
     "self":[  
        {  
           "href":"http:\/\/.../wp-json\/wp\/v2\/users\/1"
        }
     ],
     "collection":[  
        {  
           "href":"http:\/\/..."
        }
     ]
  }
  },...

As can be seen here, the username and ID are visible to the hacker.

3. WPintel

Another rather easier method is to install the chrome extension WPintel which can enumerate the WordPress usernames for you by exploiting the REST API vulnerability discussed above.

Fig. 1— WPintel

Preventing WordPress Username Enumeration

Some of the common fixes used to prevent WordPress Enumeration are listed below:

1. .htaccess code to block all author scans

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans

Adding the above code to the .htaccess file in your WordPress website‘s root directory will block all author scan attacks discussed above.

2. Installing WordPress plugins

Plugins such as Disable REST API and Stop User Enumeration are two plugins that helps mitigate this vulnerability. However, in certain situations where the REST API needs to be enabled, this could be a problem.

As such, combining the above method and the below method is my preferred solution to this vulnerability.

3. Masking Usernames via Database

In addition to adding the above .htaccess code to block author scans, the usernames revealed through REST API vulnerability by direct URL access or using a plugin like WPintel can be masked in such a way that the actual username will not be displayed, but a random string chosen by you. Follow the below steps to implement this fix.

  1. Access the database.
  2. Select the table wp_users, or in case you have changed the wp- table prefix, then select [your-prefix]_users table.
  3. In the selected table, you will find a column named user_nicename. For each of the user accounts whose username you want to mask, change its respective user_nicename value to something random. The value you choose will be the one displayed when hackers perform any of the above-listed username enumeration attacks.
Fig. 2— user_nicename column

Conclusion

And there you go. These are some of the fixes available for WordPress Username Enumeration attacks. Hope this helps! 🙂


If you ever need Vulnerability Assessment and Penetration Testing done on your web application or want to make sure that vulnerabilities such as XSS, SQLi, CSRF and more don’t end up harming your business or your customers’ online data, you can always come talk to us at Astra.

Hope you enjoyed the read!

You can follow me on Medium for more stories about the various Security Audits I do and the crazy vulnerabilities I find, as well as on Twitter for more Cybersecurity related news.

Written by
Jinson Varghese
Join the discussion

Topics