WordPress Username Enumeration Techniques and How to Fix Them

Web applications usually use an authentication mechanism to prevent unauthorized/anonymous users to access the application’s protected resources and functionalities. Attackers always try to find weaknesses in the authentication mechanism to get into the protected resources and functionalities.

Username enumeration is one of the most popular attacks that are performed on the authentication mechanism to identify the valid usernames on the system.

In this article we are going to discuss many ways to identify the valid usernames of any WordPress website.

[Method 1] Enumerate Usernames Through the Author Archives:

In many WordPress installations, it is possible to enumerate WordPress usernames through the author archives, including the admin username. To access the author archives, we just need to add author=n (where n equals any integer) as a parameter to the WordPress home page as the following:

http://example.com/?author=1

The request automatically will be redirected by WordPress to its counterparts:

http://example.com/author/admin/

Using this method we will able to identify all the username by fuzzing the author parameter.

Remediation and Fix Techniques:

We can block author archives username enumeration by applying one of the following techniques:

· Adding a code snippet to the theme’s functions.php file

· Adding a code snippet to site’s root .htaccess file

Code Snippet to the Theme’s functions.php File

To block user-enumeration via functions.php, add the following code to your theme’s functions file:

if (!is_admin()) {// default URL formatif (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();add_filter('redirect_canonical', 'shapeSpace_check_enum', 10, 2);}function shapeSpace_check_enum($redirect, $request) {// permalink URL formatif (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();else return $redirect;}

No editing is required for this to work, just copy/paste and done. Here’s how it works:

1. Check if the request is for any page in the WP Admin Area

2. Block the request if it’s for a query-string author archive

Code Snippet to Site’s Root .htaccess File

If you would rather block requests at the server level, you can add the following slice of .htaccess to your site’s root .htaccess file:

# Block User ID Phishing Requests<IfModule mod_rewrite.c>RewriteCond %{QUERY_STRING} ^author=([0-9]*)RewriteRule .* http://example.com/? [L,R=302]</IfModule>

You need to change http://example.com/ with your WordPress domain name.

[Method 2] Enumerate Usernames Through Different Error Message:

When a user tries to log into the WordPress application. If the username exists, the application will return an error message that inform the user that the username exists but the password is wrong. However if the username does not exist, the application will return an error message that inform the user that the username does not exist.

The screenshot below shows the valid username message:

The screenshot below shows the invalid username message:

To automate the process, I created the following python script that will extract the valid WordPress usernames.

https://github.com/Ahmed-Elhady-Mohamed/wordPress-Scripts/blob/master/wp-user-enum-script.py

The script takes three arguments as the following the domain name, the login page and username wordlist file, as shown below:

Remediation and Fix Techniques:

To prevent attackers to enumerate WordPress usernames using this method, we need to install and activate “Unified Login Error Messages” WordPress plugin. When “Unified Login Error Messages” WordPress plug-in is activated, the login error message is changed to “ERROR: Invalid username/password combination.” Regardless if the username submitted is correct or not, the authentication error message remains the same. This fixes the problem of username enumeration from the login page authentication error message inconsistency.

Ahmed Elhady Mohamed

Written by

Cyber Security Consultant. Technical Writer

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade