One of the most common attacks on WordPress is brute-forcing. In this type of attack, hackers use bots to try hundreds of combinations of usernames and passwords to barge into your WordPress site. However, brute-forcing isn’t limited to bots only. There are certain known methods attackers use to find the username, which we’ll discuss in this article.

Also, you must know that user enumeration is a serious vulnerability for your website. Simply put, a site that allows user enumeration allows hackers. Therefore, to keep your WordPress site secure, it is important to stop user Enumeration in WordPress. In this article, we shall explain various ways in which user enumeration is done and how to stop user enumeration in WordPress.

What is user enumeration?

User enumeration is a way to fetch user data from your website through malicious scripts. Although the hacker can fetch only the username details with this, it still is a serious risk. Knowing the username is half the work done for a hacker in executing a brute-force.

And if the authors do not change their passwords regularly or do not use the recommended password practices, then know that you are at risk.

How Does User Enumeration Work in WordPress?

Method 1: Author Archives

Perhaps the easiest method to find WordPress usernames is by going through the author archives. To enumerate usernames through the author archives method, simply append an integer (i.e. 1,2,3, etc.) as a value to the parameter “author”. For example, look at the following values:

http://example.com/?author=1
http://example.com/?author=2
http://example.com/?author=3
These values would then fetch the results like the following:
http://example.com/author/admin/
http://example.com/author/user2/
http://example.com/author/user3/

Therefore, by fuzzing the parameter author in the WordPress home URL, multiple author names can be enumerated.

Sometimes the reason for the user enumeration lies in some theme vulnerability. Theme templates, sometimes,  display the author name in post meta information, author-archive pages or some other locations. This enables the hacker to fetch the details through the above process.

Method 2: Error Messages

At times, the attacker tries to log in to your WordPress site using a random username. If the username exists then the error message would reveal that the username is correct but the password is wrong. Similarly, if the guessed username is wrong, the error message would specify that the username does not exist. Now, by using the brute force approach, the attacker can enumerate usernames based on error messages. For instance, look at the image below.

Stop user enumeration

The error message reveals the username as “admin” when the word admin is tried as a username.

Stop User enumeration

The error message does not show the user name when no such username exists.

One-click Solution for User Enumeration in WordPress

To stop user enumeration in WordPress by just one click, use the free plugin WP Hardening. WP-Hardening is a one-stop solution to ensure recommended security measures on your WordPress. The best bit is that it’s a toggle key based plugin and the settings require just a click achieve.

Here is how it works:

  1. Install and activate the plugin.
  2. Go to the “Security Fixers” tab.
  3. Toggle the key next to “Stop user enumeration” and it’s done.

No mind-numbing codes and cumbersome editing of files, just a flick of a button!

Apart from stopping user enumeration, this plugin can fix some 20 odd security issues in WordPress. Not only is this plugin super easy to use but, it is also available for free!

How to Stop User Enumeration Manually in WordPress?

1. By Editing WordPress Files

The user enumeration being done using author archive (method 1) can be blocked by adding a code snippet to the functions.php file or to the .htaccess file at the root level. The .htaccess file should be edited only if you wish to block the request at the server level. To accomplish this:

  • Step 1: Login to the admin panel of your server where you can access files.
  • Step 2: Navigate to the WordPress installation directory. Thereafter visit wp-content>themes. In here, open the directory of your theme and find the functions.php file.
  • Step 3: Open the functions.php file and copy-paste the following code to it and save it:
    if (!is_admin()) {
    // default URL format
    if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die(); add_filter('redirect_canonical', 'shapeSpace_check_enum', 10, 2);

    }
    function shapeSpace_check_enum($redirect, $request) {
    // permalink URL format
    if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die(); else return $redirect;
    }

This code snippet here checks the request made to the author archive. If it contains an integer then this function blocks the request and thus is able to stop user enumeration in WordPress. Similarly to stop user enumeration in WordPress using the .htaccess file follow these steps:

  • Step 1: Login to your server as admin.
  • Step 2: In the file manager, find the .htaccess file at the root of your server.
  • Step 3: Open the .htaccess file and copy-paste the following code to it and save it:
    <IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} ^author=([0-9]*)
    RewriteRule .* http://abc.com/? [L,R=302] </IfModule>

Here replace the “abc.com” with the domain name of your WordPress site and you are done!

2. By Removing Detailed Error Messages

To check user enumeration by error messages, plugin unified login error messages can help greatly. This plugin will give the same error message irrespective of the fact that the username exists or not. So for every attempt irrespective, the username is wrong or right, only the error message “ERROR: Invalid username/password combination” will be shown. However, this plugin has not been updated in more than 8 years! Worry not a better alternative is available which is mentioned below.

If you want a compelete and comprehensive security solution for your WordPress a security plugin such as the Astra WordPress Security becomes a must. Astra is an all-in-one security solution that offers a web application firewall, malware scanner, immediate malware cleanup, security audit & pentesting, community security and more.

The Astra firewall protects your website from 140+ coming attacks such as SQLi, XSS, CSRF, bad bots, RFI/LFI, etc. It also deploys a real-time monitoring system on your website.

You can get an Astra demo here.

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Keen to learn almost everything that computers have to offer. Check out my Github profile for more info.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close