Best practices to prevent users listing
-
Hello,
I’m checking my logs and I can see that there are lots of brute force with real admins from my website. So I’ve searched a bit on the internet and I found that if you use some commands on WordPress you can list all the users. This could be a weak point as they can see all my users they can see the administrators as well.
Here are some of these commands:
Method 1: Using /?author=1 Query Parameter https://[yoursite]/?author=1 Method 2: Using WordPress JSON REST Endpoints https://[yoursite]/wp-json/wp/v2/users/1With these commands, everyone can have access to my usernames.
What is the best way to prevent that?
Thanks
Best Regards
Rodrigo
-
Hello, I’ve found a solution for that, but I’m not sure if it’s the best way or if it’s safe to add this code.
I have added on my test website, after adding these snippets, I wasn’t able to list the users anymore.
Can anybody tell me what you think about this solution, please?
I have added the snippets plugins and then I used the methods below:
# Prevent user Enumeration Query Parameter function redirect_to_home_if_author_parameter() { $is_author_set = get_query_var( 'author', '' ); if ( $is_author_set != '' && !is_admin()) { wp_redirect( home_url(), 301 ); exit; } } add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' ); # Prevent user Enumeration JSON REST Endpoints function disable_rest_endpoints ( $endpoints ) { if ( isset( $endpoints['/wp/v2/users'] ) ) { unset( $endpoints['/wp/v2/users'] ); } if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) { unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ); } return $endpoints; } add_filter( 'rest_endpoints', 'disable_rest_endpoints');
- The topic ‘Best practices to prevent users listing’ is closed to new replies.