User Enumeration issue

Just to chime in here, AFAIK if a nickname for the user is set, which is different from the username, then that is the only thing revealed in the RSS feed.

That is true but there are some who set username as nickname inadvertently or unknowingly, which also is usually the case for novices. So it would a given for them that the plugin has it all covered.

It’s almost impossible to hide all usernames. There are also several plugins or themes than can leak them in the page. That’s the reason why we mention in the documentation that it is better to use a strong password along with the brute-force protection, rather than to rely on the user enumeration protection.

Point taken per the circumstances. Will check further how far user enumeration can be hardened.

Username leak via RSS can be plugged through code.

I’ll check the RSS feed. I guess all I’d need to do is to hook it and remove the <dc:creator> tag.

When successful you could then have it as a feature for your plugin either inclusively or as an option.

It will have to be optional as some users may want to keep the user name in the feed. In the meantime, if you want to block it now you can add this code anywhere inside the ‘ninjafirewall/lib/utils.php’:

function nfw_check_author( $display_name ) {
    if ( is_feed() ) {
        return '';
    }
    return $display_name;
}
add_filter( 'the_author', 'nfw_check_author', 99999, 1 );

Thanks for the code. Username no longer displays!

Alternatively, the same can be achieved by disabling feeds if not needed.

FYI, there is a pesty slug /?feed, which is not a feed, directing WordPress websites to a Post where the username is showing in the page source code. Unfortunately the .htaccess redirect doesn’t work. Perhaps php again is the way out.

You need to block an existing but empty $_GET['feed'] with the .htninja file:

if ( isset( $_GET['feed'] ) && $_GET['feed'] == '' ) {
   return 'BLOCK'; // reject it
}

Awesome! Gets the job done.