Iterating users while user iteration is suppressed

  • Resolved Syncly.it

    (@elnath78)


    5 years, 6 months ago

    Recently I noticed various login attempts being blocked by security plug-in this is pretty much ordinary when the attempt is about non-existent users or default/common user names like the website name, or the classic admin etc..

    Since the last week the login attempts (blocked after defined failed logins) were of real users, and the strange thing is that in some cases the users are not exposed in articles/pages as authors. Also consider that user iteration is suppressed, accessing ?author=1 gives no results but a 404 page.

    it seems that they have found a different way to iterate users, do you know of any possible exploit that can be used and how to secure the websites? For websites with Yoast, author archives are suppressed already.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hey @elnath78,

    It’s really hard to say exactly how they’re discovering the usernames. I’m not aware of a current exploit that could lead to this. It’s possible that a theme or plugin is linking to them. There’s only so much we can do to prevent an attack. It’s more about making sure they aren’t successful, which it sounds like Wordfence is doing. In addition to your current Wordfence configuration, I’d suggest making sure you have strong passwords and use two-factor as a defense for this.

    Thanks,

    Gerroald

    Thread Starter Syncly.it

    (@elnath78)

    Hi Gerroald,

    I thought the same but some users were really never exposed in the frontend, users never used to post, created for just debug purposes and tests. I have already excluded common iterations such as that author, the Yoast sitemap, and REST API (done by WF) the source code and page headers have no user names exposed.

    Unless WP has put some new flaw or leak I have really no idea of what other methods there could be. I’m adding 2FA starting from involved websites and in this group to users of e-commerce with “Store Manager” rights. I’m pretty sure that some customers would complain to make their life more complicated, it is hard to explain that sometimes security has a price.

    Hey @elnath78,

    I completely understand how difficult it can be to force users to use two-factor in some circumstances. But as you know, it really is one of the best defenses. I’d suggest at least forcing strong passwords.

    https://www.wordfence.com/help/firewall/brute-force/#enforce-strong-passwords

    Please let us know if anything else comes up.

    Thanks,

    Gerroald

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Iterating users while user iteration is suppressed’ is closed to new replies.