I built a new site and forgot to protect against the "?author=n" technique. I had 2fa on all accounts so no hacker got access to the site's admin.
I've since fixed that security issue. Is there other methods that are used to learn user names? I ask because I'm still getting attempts to login with the hacked user name. They have no success since they are 2fa accounts. I'll change to new users shortly.
On a corollary question: Why does WordPress not assign the user number in a random method rather then serially as it is done today?
I built a new site and forgot to protect against the "?author=n" technique. I had 2fa on all accounts so no hacker got access to the site's admin.
I've since fixed that security issue. Is there other methods that are used to learn user names? I ask because I'm still getting attempts to login with the hacked user name. They have no success since they are 2fa accounts. I'll change to new users shortly.
On a corollary question: Why does WordPress not assign the user number in a random method rather then serially as it is done today?
Share Improve this question asked Dec 2, 2019 at 14:06 Rick9004Rick9004 191 gold badge1 silver badge3 bronze badges 1- knowing the user identifier doesn't help the hacker if there is a protection against brute force attacks. – Kaperto Commented Dec 2, 2019 at 14:21
1 Answer
Reset to default -1Yes, there are several techniques hackers may use to discover usernames on WordPress sites:
Author-based URLs: As you mentioned, the ?author=n technique is commonly used. Attackers can try appending different numbers to the ?author=n parameter to find valid usernames.
Login Brute Force: Hackers can try common usernames, such as "admin" or "administrator," and test them through brute force login attempts. This can often be automated.
Comment or Registration Forms: If an attacker submits a comment or tries to register on your site, they might be able to see valid usernames from publicly visible comments or error messages.
User Enumeration via REST API or XML-RPC: Attackers can also use the WordPress REST API or XML-RPC to probe for user information. These endpoints can reveal whether a given username exists by checking for error codes when submitting invalid login data.
Security Headers & Revealing Usernames: Sometimes, security misconfigurations like revealing usernames in HTTP headers or error messages may expose usernames to attackers.
Regarding your second question: WordPress assigns user IDs serially to avoid collisions or gaps in the database structure. However, this can indeed make it easier for attackers to enumerate users. It would be more secure if WordPress randomized or obfuscated user IDs, but this would require fundamental changes in how WordPress operates and could potentially break compatibility with some plugins or themes.
Additionally, you should also implement measures like disabling XML-RPC, blocking IPs that attempt brute force logins, and ensuring that all WordPress plugins and themes are up-to-date.