WordPress User Enumeration

Description

User Enumeration occurs when web applications inadvertently reveal whether a username exists on the system, either due to misconfiguration or design decisions. Attackers exploit this by gathering a list of valid usernames to launch targeted attacks, such as brute force or default username and password attacks.

Recommendation

Block HTTP requests to /?author= and /wp-json/wp/v2/users/ URLs. You can use functions.php or .htaccess for this. The below snippet is a sample .htaccess code you can use to prevent WordPress user enumeration.

RewriteEngine on
RewriteCond %{QUERY_STRING} (author=\d+) [OR]
RewriteCond %{REQUEST_URI} /wp-json/wp/v2/users/
RewriteRule .* - [F]

You should also make sure your theme is not displaying usernames.

Another option is to use plugins available for blocking user enumerations.

References

• OWASP: Testing for Account Enumeration and Guessable User Account
• OWASP: Account Enumeration
• WordPress
• CWE-200
• CWE-209
• CAPEC-118
• CAPEC-49
• OWASP 2021-A5

Related Issues

• User Enumeration - Vulnerability
• WordPress Login Page Found - Vulnerability
• Microsoft IIS Tilde Directory Enumeration - Vulnerability
• WordPress FireStorm Professional Real Estate 2.06.01 SQLI - Vulnerability

Tags:

Wordpress

Information Disclosure

Brute Force