WordPress User Enumeration
Description
Often, web applications reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, sometimes, when we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack. OWASP
Recommendation
Block HTTP requests to /?author=
and /wp-json/wp/v2/users/
URLs. You can use functions.php
or .htaccess
for this.
The below snippet is a sample .htaccess
code you can use to prevent WordPress user enumeration.
RewriteEngine on
RewriteCond %{QUERY_STRING} (author=\d+) [OR]
RewriteCond %{REQUEST_URI} /wp-json/wp/v2/users/
RewriteRule .* - [F]
You should also make sure your theme is not displaying usernames.
Another option is to use plugins available for blocking user enumerations.
References
- OWASP: Testing for Account Enumeration and Guessable User Account
- WordPress
- CWE-200
- OWASP 2007-A6
- OWASP 2021-A1