USER ENUMERATION IN WORDPRESS


WordPress powers over 40% of the web, making it a lucrative target for attackers. User enumeration in WordPress is a potential vulnerability that attackers can exploit to gain insights into a website’s user accounts. While it may seem harmless at first glance, it can serve as a precursor to more severe attacks, such as brute-force login attempts.


VULNERABILITY

User enumeration occurs when attackers can determine valid usernames registered on a WordPress site. Typically, attackers probe a site by interacting with login forms, author archives or APIs to extract usernames. These usernames can then be used in targeted brute-force attacks to guess passwords or compromise accounts.
For example:
Accessing the /?author=1 URL on some WordPress sites might redirect the attacker to a page like /author/admin, revealing the username admin.
Sending crafted login requests may produce different error messages for valid and invalid usernames.

IMPACT

While user enumeration itself doesn’t compromise your site, it lays the groundwork for other attacks:

Brute-Force Attacks:

With a valid username, attackers can attempt to guess passwords.

Phishing or Social Engineering:

Revealed usernames, especially those matching email addresses or names, can be exploited in targeted phishing campaigns.

Reconnaissance:

Knowing usernames can give attackers insights into user roles (e.g., admin accounts) and tailor their attacks accordingly.

SOLUTION

Following are steps to mitigate and secure your WordPress site against user enumeration:

1. Disable Author Archive Enumeration

Prevent access to author archives via the functions.php file in your theme by adding the following code:
add_action('template_redirect', function() {
if (is_author()) {
wp_redirect(home_url());
exit;
}
});

2. Restrict REST API Access

Restrict REST API access to authenticated users by adding this code snippet:
add_filter('rest_endpoints', function($endpoints) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
return $endpoints;
});
Alternatively, use a plugin like Disable REST API for easier implementation.

3. Use Custom Login Error Messages

Modify the default WordPress login error messages to avoid revealing username validity:
add_filter('login_errors', function() {
return 'Login failed. Please check your credentials.';
});

4. Implement Rate Limiting

Use plugins such as Wordfence Security or Limit Login Attempts Reloaded to limit login attempts, slowing down brute-force attacks.

5. Rename Default Admin Username

Avoid using predictable usernames like admin. During setup, create a unique administrator username and delete the default one.

6. Employ a Web Application Firewall (WAF)

Use security tools like Cloudflare or Sucuri Firewall to block automated requests that attempt enumeration.

7. Regular Security Audits

Perform periodic audits to identify and mitigate user enumeration vulnerabilities.