WordPress Username Enumeration

Wordpress Hacking

What is user enumeration?

In many WordPress blogs, it’s possible to enumerate the users using a well-known feature/bug related to author archives. This works if the following conditions are met:

  • WordPress permalinks are enabled. By default WordPress uses web URLs which have question marks and lots of numbers in them; however, WordPress offers the ability to create a custom URL structure for your permalinks and archives. Many blogs use this feature.
  • The user has to write at least one post in order to be listed.

How does it work?

When permalinks are enabled, WordPress provides a URL that lists all the posts written by a certain user. For example, the URL http://site.com?author=1 will list all the posts written by the first user (with id 1).  However, it will first redirect to a URL containing the username of this user id. In this example, it will redirect to http://site.com/author/admin/.

admin is the username of the user with id 1. So, even if the installation followed security practices and renamed the administrator account, an attacker can use this trick to discover administrative account name.

With this, an attacker can iterate through all the user ids and list all the users that have at least one post. This represents a security risk that should be addressed, especially since WordPress doesn’t prevent repeated password-guessing attacks.

How do we prevent somebody from enumerating our WordPress users?

One solution is to place the following in the sites .htaccess file

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

However, this is not ideal as it’s highly likely that somebody will find a bypass for these .htaccess rules – essentially, it is a WordPress problem and should be fixed in WordPress.

A better solution would be to have very strong passwords for your accounts so even if an attacker can enumerate your usernames they cannot gain access to the Dashboard. However, an attacker trying to login using thousands of passwords will generate as much requests and will slow down your website considerably.

Leave a Comment

Your email address will not be published. Required fields are marked *