WordPress User enumeration

By
Rejah Rehim
Published on
05 Mar 2022
2 min read

User Enumeration is an attack, where an attacker thoroughly scans a web application to discover the login name of the WordPress based web application. User enumeration is a conventional technique used by the attackers to reveal the usernames of a WordPress based site. The attacker successfully exploits this vulnerability by executing bash commands. This attack is used as a previous step to brute-force password attacks. By stopping user enumeration, the application would be able to block this attack. This attack also allows to log IPs launching these attacks. It is possible to enumerate usernames along with admin username via the author archives during the WordPress installation. This method can be checked using many WordPress Security Testing tools.

This type of attack is possible on sites that haven’t renamed the admin account to something else. This step is a necessary and partially useful way to reduce the possibility of a successful brute force attack. A secure username and password are essential for securing the server.

Impact

Whenever a post is uploaded to a website, the username or alias name is shown to the public as an author. By applying modifications to the URL to create a custom URL. This URL will be used by the attacker to access information put by the user or author.

http://example.beaglesecurity.com/?username=1

The above URL, when executed in the browser will show all the posts from the user with id=1. The attackers can use this functionality to find all the available usernames in the system.

Mitigation / Precaution

Beagle recommends rewriting .htaccess to prevent this disclosure. We also recommend using nicknames, as it can avoid disclosing usernames.

        # Stop WordPress username enumeration vulnerability
        RewriteCond %{REQUEST_URI}  ^/$
        RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
        RewriteRule ^(.*)$ http://yourwebsite.com/somepage/? [L,R=301]

    

If the application is running on a VPS or dedicated server, the attack IP will be logged. Beagle recommends using (optional additional configuration) fail2ban to block the attack directly at your server’s firewall. The fail2ban is a compelling solution for VPS owners, as it can stop brute force attacks as well as DDoS attacks.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.