WordPress User Enumeration
Impact: Medium
Description
User Enumeration occurs when web applications inadvertently reveal whether a username exists on the system, either due to misconfiguration or design decisions. Attackers exploit this by gathering a list of valid usernames to launch targeted attacks, such as brute force or default username and password attacks.
Recommendation
Block HTTP requests to /?author= and /wp-json/wp/v2/users/ URLs. You can use functions.php or .htaccess for this.
The below snippet is a sample .htaccess code you can use to prevent WordPress user enumeration.
RewriteEngine on
RewriteCond %{QUERY_STRING} (author=\d+) [OR]
RewriteCond %{REQUEST_URI} /wp-json/wp/v2/users/
RewriteRule .* - [F]
You should also make sure your theme is not displaying usernames.
Another option is to use plugins available for blocking user enumerations.
References
- CWE-200
- CWE-209
- OWASP 2021-A5
- OWASP: Account Enumeration
- OWASP: Testing for Account Enumeration and Guessable User Account
- WordPress
👉 You might also like:
User Enumeration - Vulnerability
Application Error - Vulnerability
Database Error - Vulnerability
Detailed Application and Database Error - Vulnerability
Last updated on May 13, 2024