Join Jeff Starr for an in-depth discussion in this video Stop user enumeration, part of WordPress: Developing Secure Sites .
- [Narrator] User enumeration refers to a technique that enables an attacker to get the usernames that are registered at your site. Once an attacker identifies a username, they can use it to focus a brute force attack against your login page and try to gain access to the admin area. This video shows you a quick way to prevent this by disabling user enumeration on your site. To see an example of how user enumeration works let's visit the home page of our demo site. In the address bar we can enter /?author=1 When this URL is requested, WordPress displays the associated author archive page, which displays all posts from the author whose ID is one.
This is how an attacker can get your username. It shows right here in the address bar and also in some themes right here in the archive page itself. Returning to the admin area, we can check out the user profile screen which shows that the display name is WordPress User. This is the same name that we just saw displayed on the author archive page and this is the administrator's login username, so an attacker now knows the correct admin username for the site, not good.
Likewise for any other registered usernames. An attacker can enter any number. For example we can enter author=6, say, to get the username for another registered user. In fact there are scripts that attackers can use to scan a site for all author ID's numbered one to 1,000 or whatever. So they get a list of all usernames for the targeted site. This is what's known as user enumeration because users can be identified by their registered ID.
Unless you've taken explicit steps to prevent user enumeration, your site is vulnerable to this exploit. So let's take a moment to lock things down. The first thing we want to do is make sure that our display names are different than our usernames. That is we want to visit the user's page and for each user change their display name to anything other than the registered username. So for example, I can click to edit my username, and change the display name to something else like my actual name.
Now let's see what happens when someone tries enumerating my user ID. We return to the home page and we enter author=1 and we see here that the login username no longer is displayed on the page. Instead the theme displays my chosen display name and leaves the actual username completely out of the picture, except for here in the address bar, the username is still displayed.
So basically when permalinks are enabled in the general settings, author ID requests are redirected to the associated author archive URL which reveals the login username. To prevent this we can either disable permalinks which isn't recommended if you use them, or we can install a plugin to simply block author ID requests. A good plugin that we can use to disable user enumeration is called Stop User Enumeration and is available at the WordPress plugin directory.
This is a very simple plugin that is well supported, popular, favorably rated and easy to use. Basically it's one of those plugins that just works. Here on the plugin screen, we see that the Stop User Enumeration plugin already is installed. So all that's left to do is activate and test. There are no settings for this plugin, it's simply a set it and forget it type of deal.
Before forgetting about it however, we do want to check the plugin and verify that it's working properly. So we return to the home page and we enter author=1. The author ID request is denied by the plugin with a simple forbidden message. Feel free to enter some other ID's and watch as they are all stopped cold. In this tutorial, we take a moment to disable a threat known as user enumeration which attackers use to obtain sensitive user information.
By installing a simple plugin and changing display names, we add another layer of security to help mitigate exploits and keep our site safe and secure.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security