User enumeration risk

  • Resolved axtonc

    (@axtonc)


    9 years, 11 months ago

    Your plugin recently locked out a hack attempt (thanks!) that was using a valid user name to attempt a brute force login. I have used the plugin to block the IP ranges used by the hack attempt.

    I presume the valid user name was obtained via user enumeration or WPScan.

    Do you have anything within the WP Security plugin to stop user names from being accessed via enumeration or is this something on the horizon for development? Or would you recommend any other plugin to do this?

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi axtonc are you currently using any of the Brute Force features? Is the valid user name Admin? Have you also enabled the following…..Enable Pingback Protection: under Firewall -> Basic Firewall Rules?

    Thread Starter axtonc

    (@axtonc)

    Hi mbrsolution
    Thanks for fast response.

    Brute Force – I have only implemented the Honeypot feature but will consider the feature to rename the login page – just worried that it may conflict with WP-Members plugin – any thoughts?

    Admin – The Admin user name had already been replaced, but the name discovered did have admin rights.

    Pingback – Yes I have implemented Pingback Protection.

    I guess rename of Login page should stop the attacks but user names are still discoverable using the domainname.com/?author=n method. Just wondered if All In One would do anything specifically to stop that.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi try the rename login feature and see if that works for you. I have never tried that code ?author=n. Can you confirm that it does reveal the username? Where does that code come from?

    Thread Starter axtonc

    (@axtonc)

    Hi
    I’ll test the effect of rename login page on a test site – thanks.

    There is quite a lot on the web about this issue but this article explains it quite well.

    https://www.acunetix.com/blog/articles/wordpress-username-enumeration-using-http-fuzzer/

    There is also a plugin (Stop User Enumeration)to address the issue but not sure if it would be compatible with other plugins relating to security and login etc.

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Thanks for that.

    You will find that if you do enable one of the brute force features (eg, rename login page), even if someone finds your username via enumeration, it will effectively be useless to them as far as trying to log into your site because they won’t be able to find your login page.

    @axtonc
    If you have access to your WP database, you can easily protect your site from this enumerations-hack by changing the IDs of (at least) the admin user(s) to whatever number you want (the higher and randomly chosen the better ;-))…

    Simply follow the steps shown here!

    Another method would be just to ban access to “yoursite.tld/?author=XYZ” via .htaccess…

    Plugin Contributor mbrsolution

    (@mbrsolution)

    @axtonc have you resolved your issue?

    Thread Starter axtonc

    (@axtonc)

    I don’t yet have an answer to the enumeration issue but have changed the IDs of the admin users and have not had any attempts to hack in since. I have also tested the feature that renames the login page and it seems to work OK with the other plugins I am using.

    It would be a bonus if AIO WP-Security included something to address the enumeration issue but that’s just a nice to have I guess.

    I’ll mark this issue as resolved now. Thanks for your help.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘User enumeration risk’ is closed to new replies.