Stop User Renumeration plugin-necessaary?

  • Resolved holoholo

    (@holoholo)


    3 years, 7 months ago

    I have regular Wordfence, not Premium (yet).

    Does Wordfence also do what this plug in does? Do I need them both?

    https://www.ads-software.com/plugins/stop-user-enumeration/

    About this Plugin	
Stop User Enumeration detects attempts by malicious scanners to identify your users

If a bot or user is caught scanning for user names they are denied access and their IP is logged

When you are viewing an admin page, the plugin does nothing, this is designed this way as it is assumed admin user have authority, bear this in mind when testing.

This plugin is best used in conjunction with a blocking tool to exclude the IP for longer. If you are on a VPS or dedicated server where you have root access you can install and configure fail2ban

Also note: It is very common for users to leave their Display Name and Nickname the same as their Username, in which case the Username is leaked by so many things. Best to check at least your admins don't do this

Support	www.ads-software.com support forum
Move upMove downToggle panel: Options
Stop REST API User calls	 WordPress allows anyone to find users by API call, by checking this box the calls will be restricted to logged in users only. Only untick this box if you need to allow unfettered API access to users
Stop oEmbed calls revealing user ids	 WordPress reveals the user login ID through oEmbed calls by including the Author Archive link which contains the user id. When in many cases just the Author Name is enough. Note: remember it is not good idea to have login user id equal to your display name
Disable WP Core Author sitemaps	 WordPress provides sitemaps for built-in content types like pages and author archives out of the box. The Author sitemap exposes the user id.
log attempts to AUTH LOG	 Leave this ticked if you are using Fail2Ban on your VPS to block attempts at enumeration.
If you are not running Fail2Ban or on a shared host this does not need to be ticked, however it normally will not cause a problem being ticked.
Remove numbers from comment authors	 This plugin uses JavaScript to remove any numbers from a comment author name, this is because numbers trigger enumeration checking. You can untick this if you do not use comments on your site or you use a different comment method than standard
Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @holoholo, thanks for getting in touch.

    WordPress by design intentionally leaks usernames. WordPress to this day does not intend to hide admin usernames and does not consider the intentional leaking of admin usernames to be a security problem. Instead, their recommendation is to use strong passwords and two-factor authentication to secure your login page, rather than hide your username. You can read more about this here:

    https://make.www.ads-software.com/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue

    The current stance on this is also evident in the WordPress Codex regarding “Access Control”:

    “One of the top two attack vectors used by cyber criminals is software vulnerabilities and access control. To combat this you must secure any point of entry into your host, WordPress installation or server. This includes employing strong passwords and enabling some form of Multi Factor Authentication.”

    Brute force login attacks are one of the most common attacks that we see. We see millions of brute force login attempts per hour on WordPress sites protected with Wordfence.

    Here is a blog post explaining why hackers are interested in your site and then steps you can take to keep your admin account protected.

    https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/

    To keep yourself protected please carry out the following if you haven’t already done so:

    Make sure all admin accounts and those with high level access. e.g. with publisher access, use a very strong password – WordPress can auto generate a very strong password for you on an account page.

    We recommend using a password manager such as 1password.com to store your complex passwords that are exceedingly difficult to remember.

    Set our recommended brute force protection rules. Instructions are in the link below. You can quickly find these options in the Brute Force Protection section on the All Options page:

    https://www.wordfence.com/help/firewall/brute-force/

    Note that the option Prevent discovery of usernames through /?author=N scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps won’t help in all cases. Some themes intentionally leak admin usernames as outlined above and there isn’t anything we can do to prevent this.

    Enable two factor authentication for administrators and those with high level access e.g. with publisher access. This feature is on the Login Security page. Instructions are in the link below:

    https://www.wordfence.com/help/tools/two-factor-authentication/

    If there are a large amount of login attempts for the same username coming from a large pool of IP addresses then you can also enable the Google reCAPTCHA feature found on the Login Security > Settings page.

    Thanks,

    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Stop User Renumeration plugin-necessaary?’ is closed to new replies.