User enumeration refers to a technique that allow hackers to get the usernames that are registered on your website.
Once hacker identifies your username, they can use it to attempt a brute force attack against your login page until it gains access to your admin area.
In this article, I’ll show you techniques hackers used to find the username and quick ways to prevent user enumeration in WordPress.
WordPress Enumeration Techniques To Identify Username
Here are the most commonly used enumeration techniques by hackers to exploit your site.
Author Archives
Finding users by iterating through the author archives is a common technique that works in most versions of WordPress by default.
In WordPress, unique user id is assigned to each username you create. This User ID is used by the application in the database and for referencing the user account.
By attempting to enumerate username from the author archives for each user id, an attacker can simply append an integer as a value to the parameter author. An attacker can enter any number.
http://domain.com/?author=1 When this URL is requested, WordPress displays the associated author archive page, which displays all posts from the author whose ID is one.
http://domain.com/author/admin/
An attacker now knows the correct admin username for your site, not good.
Using this method, attacker will be able to identify all the username by fuzzing the author parameter.
Unless you’ve taken explicit steps to prevent this type of user enumeration, your site is vulnerable to this exploit.
Login Error Messages
Another method which hackers will attempt is through the WordPress admin login page.
By default, WordPress allows users to enter username and password combinations as many times as they want.
If the username exists then the error message would reveal that the username is correct but the password is wrong.
Similarly, if the guessed username is wrong, the error message would specify that the username does not exist.
Now, by using the brute force approach, an attacker can enumerate usernames based on error messages until your website cracks.
Unluckily, applying the first method, hackers just need to guess your admin password.
Post Meta Information
In some cases, the reason for the user enumeration lies in some theme vulnerability.
Theme templates files, sometimes, display the author name in post meta information, author-archive pages, or some other locations.
Here’s an example website.
As you hover into the Author’s name, you can see underneath revealing its username.
This isn’t good and should be disabled. This enables the hacker to fetch your username.
So, be careful in choosing a wordpress theme for your website.
How to Stop User Enumeration in WordPress?
There are plenty of ways to stop user enumeration. And we can go through each one of them below:
- Use a plugin
- Hide Login Hints
- Add code snippet to the theme’s functions.php file
- Add code snippet to site’s root .htaccess file
Use Stop User Enumeration Plugin
One of the best ways to stop user enumeration is by a plugin called Stop User Enumeration.
This is a very simple plugin that is well supported, popular, favorably rated, and easy to use.
Basically it’s one of those plugins that just works.
There are no settings for this plugin, it’s simply a set it and forget it type of deal.
Before forgetting about it however, we do want to check the plugin and verify that it’s working properly.
Now, return to your site home page and enter author=1. The author ID request should be denied by the plugin with a simple forbidden message.
Feel free to enter some other ID’s and watch as they are all stopped.
Hiding Login Hints in WordPress
Another great way to battle this kind of threat is hiding login hints.
All you have to do is simply add the following code to your theme’s functions.php file.
function wpms_no_wordpress_hints(){
return 'Something is wrong!';
}
add_filter( 'login_errors', 'wpms_no_wordpress_hints' );
This code adds a custom message as a filter to the login errors. This will override default WordPress login errors.
Now if someone enters incorrect username and password, or email combinations, WordPress would simply show the error “Something is wrong” without giving any hints.
Code Snippet to the Theme’s functions.php File
To block user enumeration via functions.php, add the following code to your theme’s functions file:
if (!is_admin()) {
// default URL format
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
add_filter('redirect_canonical', 'wpms_check_enum', 10, 2);
}
function wpms_check_enum($redirect, $request) {
// permalink URL format
if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();
else return $redirect;
}
No editing is required for this to work, just copy/paste and done. Here’s how it works:
- Check if the request is for any page in the WP Admin Area
- Block the request if it’s for a query-string author archive
Code Snippet to Site’s Root .htaccess File
If you would rather block requests at the server level, you can add the following code to your site’s root .htaccess file:
# Block User ID Phishing Requests
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* http://domain.com/? [L,R=302]
</IfModule>
You need to change http://domain.com/ with your actual WordPress domain name.
Final Thoughts
Security is a constant battle.
Here, we’ve seen different ways to prevent the threat known as user enumeration which attackers use to obtain sensitive user information.
By installing a simple plugin and changing error messages, we’ve added another layer of security to help mitigate exploits and keep our WordPress site safe and secure.
A simple code snippet has been added to the theme’s functions.php and .htaccess file for added security.
Hope you learn how to fix WordPress user Enumeration.
Share your experience or any suggestion in the comment box below.
If you liked this article, then please subscribe to my YouTube Channel for WordPress video tutorials. You can also find me on LinkedIn, Facebook, and Twitter.
3 Responses
Hi Rod,
Thanks for the tips!
For the longest time, I am using the Avada theme. I haven’t noticed it exposed my username.
I disabled the link now. Thankfully I came across this part here.
Thanks once again, mate.
Hey there, Jacob.
Glad you’ve found this article useful. And thank you also for stopping by.
~Rod
Great article, Rod
I probably should try one of these techniques soon. This is great to stay away from attackers. I’ve been a victim before and applying this might able to save me in the future. Keep it up.