Web applications typically use authentication mechanisms to prevent unauthorized users from accessing protected resources. However, attackers often search for weaknesses in these systems, with username enumeration being a common method to identify valid usernames in a system.
This article will discuss various ways to identify valid usernames on any WordPress website, along with tips to mitigate these attacks.
[Method 1] Enumerate Usernames Through the Author Archives:
In many WordPress installations, it is possible to enumerate usernames through author archives, including the admin username. Accessing author archives can be done by adding author=n (where n is an integer) as a parameter to the WordPress home page.
Remediation and Fix Techniques:
- Add a code snippet to the theme’s
functions.php file. - Add a code snippet to the site’s root
.htaccess file.
Code Snippet to the Theme’s functions.php File
To block username enumeration via functions.php, add the following code:
if (!is_admin()) {
// default URL format
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
add_filter('redirect_canonical', 'shapeSpace_check_enum', 10, 2);
}
function shapeSpace_check_enum($redirect, $request) {
// permalink URL format
if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();
else return $redirect;
}
This code checks for requests in the WordPress Admin Area and blocks those targeting the author archive.
Code Snippet to Site’s Root .htaccess File
For server-level restrictions, add this to your site’s root .htaccess file:
# Block User ID Phishing Requests
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* http://example.com/? [L,R=302]
Remember to replace http://example.com/ with your actual WordPress domain.
[Method 2] Enumerate Usernames Through Different Error Messages:
When logging into WordPress, a valid username will yield an error indicating the username exists, but the password is incorrect. An invalid username returns a message stating the username does not exist.
To prevent attacks through login error messages, install the “Unified Login Error Messages” plugin. This plugin standardizes the login error message to “ERROR: Invalid username/password combination,” regardless of the correctness of the username.
To enhance the security of your WordPress site, consider implementing the discussed prevention techniques regularly. Securing against username enumeration is crucial in reducing the risk of subsequent attacks.
Sign Up Today and Start Your Free Trial.
