This article discusses one way in which a hacker can easily enumerate through authors or users of WordPress sites. To do this, the hacker takes the url of the site and places it within this url: http://example.com/?author=1. This queries the database for author=1 and returns the actual author name (username). What was pretty unsettling for me is that I actually run a WordPress site for a foundation I am a part and when I queried the site with the above url, my username was returned. What’s also interesting is that, when I ran the same url against https://mis.temple.edu for ?user=1, the returned value was “admin”. It’s one thing to know who a user is but it’s another thing for a hacker to know that the administrator username is actually admin-this is almost half the battle in carrying out a successful brute force attack. Incorrect username/password entry usually returns a “username/password incorrect” message. If you do not know for certainty what the username is, the previous message becomes more complicated. The article fortunately supplies code to add to index.php of the WordPress site to disable querying author names.
https://perishablepress.com/stop-user-enumeration-wordpress/
BIlaal Williams says
Thanks Ryan..I run a couple of WordPress sites and checked it, sure enough my username popped up. This is great info and I’ll be adding that php code asap!
Arkadiy Kantor says
WordPress sounds like a never ending security mess! Always seeing news about new WP vulnerabilities.