What Did I Learn Today

My experience, Your solution

252 Digital UK services

Copyright © 2024
License

Mysql, Development environments, bits and pieces Doing It Yourself - Server

Prevent Wordpress user enumeration

Sat, Sep 17, 2016 · 1 minute read
web

We support a Wordpress site for an organisation that recently passed it’s regular PCI compliance scan.

Part of that scan is to check if a Wordpress site allows user enumeration, it should not.

To check your own site, the test for Wordpress user enumeration is relatively straightforward:
If your site allows it then this test will list the top 5 author usernames:

# Enumerate Wordpress users
$ for i in {1..5}; do curl -s -L -i http://www.example.org.uk/?author=$i | grep -E -o "\" title=\"View all posts by [a-z0-9A-Z\-\.]*|Location:.*" | sed 's/\// /g' | cut -f 6 -d ' ' | grep -v "^$"; done

If you are using Apache then one way to prevent user enumeration is to add the following 3 lines to .htaccess
(from a forum thread on Stack Exchange).

# Prevent Wordpress user enumeration
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

It is worth noting that allowing user enumeration is a PCI compliance failure

Comment on this article using form below. Requires email login only for authentication. HTML forbidden, Markdown only.