The Wordpress Exploit You Should Know About

Your usernames are not a safe as you might think

I noticed a rather alarming issue that appears to effect every single WordPress site out of the box. There is a query string variable you can use to determine the username of the WordPress installation you’re looking at (which can then be used to attempt unauthorized logins).

To test this, go to any WordPress site and add ?author=1 to the end of the homepage URL and go to it. The URL that is returned by default includes a login username directly in the URL in this format:

sitedomain.com/author/username/

A hacker could use this in a more targeted penetration attempt on your WordPress installation (versus having to just guess the username or find it out some other, more difficult way). Interestingly enough, this appears to have been reported at least 2 years or more ago, without some type of official fix.

Can it be fixed? Absolutely.

There is a thread on the WordPress Forums that talks about this issue and includes a fix (via .htaccess mods), so it’s definitely something you can fix today. Here’s the .htacccess file mod that user joe.toomey suggests in the post:

RewriteCond %{REQUEST_URI}  ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://www.wordpressexample.com/some-real-dir/? [L,R=301]

Note: You need to customize the content in line 3 for your specific installation to reflect the site url and the redirection location (such as the front page).

I would highly recommend you add this (or your own equivalent solution) to prevent the username data from being exposed to hackers or anyone else.

This is something that should be done as a part of your other security efforts of course.Interestingly enough, Wordpress.org appears to have prevented this behavior on their own site (at the time of this posting).

I hope this information helps you in some manner.

Have you dealt with this issue and resolved it another way? Let me know!

Twitter: @iansvo