Hiding or Removing usernames

As the author of stop-user-enumeration plugin as far as 1 & 3 goes

The key elements are

Feel free to browse the code it is of course GPL https://plugins.svn.www.ads-software.com/stop-user-enumeration/trunk/frontend/class-frontend.php

if ( ( preg_match( '/users/', $_SERVER['REQUEST_URI'] ) !== 0 ) || ( isset( $_REQUEST['rest_route'] ) && ( preg_match( '/users/', $_REQUEST['rest_route'] ) !== 0 ) ) ) {
				if ( ! is_user_logged_in() ) {

					return new WP_Error( 'rest_cannot_access', esc_html__( 'Only authenticated users can access the User endpoint REST API.', 'stop-user-enumeration' ), array( 'status' => rest_authorization_required_code() ) );
				}
			}

and

if ( ! is_user_logged_in() && isset( $_REQUEST['author'] ) ) {
			if ( $this->ContainsNumbers( $_REQUEST['author'] ) ) {
				wp_die( esc_html__( 'forbidden - number in author name not allowed = ', 'stop-user-enumeration' ) . esc_html( $_REQUEST['author'] ) );
			}
		}

Thanks for the code.

Will try to see how it works.

While reviewing your code I thought of trying out your stop-user-enumeration plugin.

I was still able to obtain the username and the display name though it passed the 1 & 3 tests.

That is correct as I mentioned it only protects against methods 1 & 3 for logged out users.

There is a specific reason for that as it is a footprint of WP Scan so enables blocking of scanners trying to evaluate the site security.

From a security perspective there is no value in hiding username as usernames are useless without passwords and limiting login attempts blocks brute force attacks.

What is your particular use-case for hiding username & display name btw?

Since you say there is no value in hiding usernames then why the “stop-user-enumeration” plugin?

There is a specific reason for that as it is a footprint of WP Scan so enables blocking of scanners trying to evaluate the site security.

by ‘for that’ I mean the plugin

People with bad intent use tools to scan your site. By blocking those tools you break their ability. Even better, as stop user enumeration links to Fail2Ban firewall, a bad person try a scan – you get their IP you block it at the firewall.

It is all in the plugin readme

say there is no value

you mis-read I said

From a security perspective there is no value in hiding

but there is a reason in detecting being scanned.

Also there may be non security reasons – that is why I was asking what your reasons are – because you never said what you wanted to achieve

Appreciate your interest in the matter.

You have already addressed the password security issue and the purpose of your plugin on your plugin page:

“Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names.

User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this attack….”

The plugin did not block WPScan. Even without a scanner the plugin did not prevent me from obtaining usernames.

Usernames with weak, stolen or phished passwords has always been a security concern.

If a hacker does not have a valid username brute-force password attack is pointless. And moreover it will keep much of the attacks away.

Non-Security reason? I am not sure how this is relevant given the nature of the discussion.

For the VPS, there are server logs of all the IPs targeting or visiting the server. Rate limiting is another measure that can be implemented.

For Shared Hosting, you will need to update your plugin page since Fullworks Firewall is permanently closed since 28 April 2020.

If you would like a specific discussion on the plugin I think it is best is you take it to the plugin support page

https://www.ads-software.com/support/plugin/stop-user-enumeration/

I would be very interested to hear from you on the specifics of your testing specifically your testing with WP Scan.

• This reply was modified 3 years, 8 months ago by Alan Fuller.

For Shared Hosting, you will need to update your plugin page since Fullworks Firewall is permanently closed since 28 April 2020.

Thanks, yes I closed that plugin as it had only a few takers I will update the readme

If you would like a specific discussion on the plugin I think it is best is you take it to the plugin support page.
I just took to the plugin instead of working out the code for it was a quick way to learn how your code hides usernames.

In order to understand your perspective on “no security value” of hiding usernames read through the content of the page as your plugin name indicates otherwise.

So it was about the subject matter not the plugin.

I would be very interested to hear from you on the specifics of your testing specifically your testing with WP Scan.
As I had already mentioned about the three tests, WP Scan was able to obtain usernames by its RSS generator, which I think is the same as test 2. The plugin passed WPintel test on Google Chrome.

Thanks, yes I closed that plugin as it had only a few takers I will update the readme
You are welcome!

Sorry that you are not understanding what I am saying.

The reveal of a user name in itself it not a security risk. But the actions of looking for it is in it self an indication that someone may be up to no good, and their next actions MAY be a security risk.

Indeed RSS feeds have the Display name – which defaults to login – but isn’t login id.

If you are worried about exposing login ids, then you also have to consider most themes also display the Display name.

Again if that is a concern, then perhaps build a rule that stops the Display name being equal to the login name.

• This reply was modified 3 years, 8 months ago by Alan Fuller.
• This reply was modified 3 years, 8 months ago by Alan Fuller.

The reveal of a user name in itself it not a security risk. But the actions of looking for it is in it self an indication that someone may be up to no good, and their next actions MAY be a security risk.
As I mentioned revelation of a username is a security risk, and varying depending on the nature of the account. For instance, who would want their usernames that is associated with financial transactions publicly available. When in conjunction with weak, stolen or phished passwords it can be damaging. Exposed usernames is an open invitation for a brute-force attack.

One can say that revelation of a password is also not a security risk since we don’t know the username. Usernames and passwords are a security risk because of the threat that is associated with it.

Indeed RSS feeds have the Display name – which defaults to login – but isn’t login id
But the Display name is the login ID name when another Nickname is not created and the Display name is the default Nickname.

If you are worried about exposing login ids, then you also have to consider most themes also display the Display name.
The security risk is reduced when Display Name is the Nickname and the Nickname is not the login ID name. Some themes provide options to hide authors or display names. Those that don’t, slight modification in the theme code will remove the display name.

Again if that is a concern, then perhaps build a rule that stops the Display name being equal to the login name.
Not necessarily as this can be easily achieved in the WordPress Dashboard. But of course for sites like E-commerce with many registered users it makes sense from an admin perspective. Those who overlook this risk the Two-Factor authentication then becomes relevant.

• This reply was modified 3 years, 8 months ago by eddyferns.