Prevent User Enumeration

By scanning WordPress url's it is possible to find valid user accounts for use with brute force attacks.. This can possible be prevented by using techniques like on this page: https://perishablepress.com/stop-user-enumeration-wordpress/ My question is: can WPMU Dev's please investigate this technique and if it's working, include it in the Defender Plugin? (there is a .htaccess solution). Thank you very much !!

  • Michael
    • The Incredible Code Injector

    Hi all,

    another approach could be to disable the wp-json/wp/v1/search url and write your a new custom route url, with the same page/post query but leaving the author name out of it.

    I think this would prevent a lot of bot attacks since they can't read the usernames anymore from the 'open standard WP json' files.

    But I'm not a specialist, you are :wink:

    • Nahid
      • Tech Support

      Hey Michael !
      Hope you are doing well today!

      Thank you for your opinion. I personally feel this would be doable as well, however, I'm not completely sure how this would affect the whole WordPress Rest API experience. I've included this potential approach along with the request sent to the developers.

      Thank you for your feedback!

      Kind regards,
      Nahid

  • Michael
    • The Incredible Code Injector

    FYI: I have noticed that the enumeration seems to get more popular. Besides (not standard) user names, I also note that they are trying using the ID behind the author:

    We've just locked out the host --.--.--.-- from https://*.*/ due to more than 20 404 requests for the file /?author=22. They have been locked out for 300 seconds.

    • Nahid
      • Tech Support

      Hey Michael !
      Hope you are doing well today!

      Thank you for conveying the information towards us. I believe the developers are already aware of the usage of authors' user ID for enumeration. I still have added this as a concern in the task report that was sent to them.

      We really appreciate your cooperation and feedback regarding this. Thanks!

      Kind regards,
      Nahid

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.