How to Prevent WordPress Username Scanning
How are hackers scanning & extracting WordPress usernames?
Even after deleting and re-creating users?
Despite Automattic’s position in the past that revealing usernames is not a security risk we think that it opens an attack path to flood the WordPress instance with continuous login attempts. We are seeing 30K-80K attempts in a 30 day period. This causes extraneous db calls and htaccess or nginx.conf file entry rewrites to keep track of IP addresses to block. If you are a security conscious administrator and would like to harden your WordPress configuration by blocking username scanning – here are the most effective ways to prevent WordPress username scanning.
Here are the most common ways to scan for usernames:
A. The Usual Suspects – WordPress Username Scanning
Method 1
Scan by using WordPress username enumeration:
curl -s -I https://www.wordpress-website-to-check.com/?author=1
The response will reveal the actual username for user 1
https://www.wordpress-website-to-check.com/blog/author/username1
Solution 1
Use a security plugin such as iThemes Security Plugin:
After using a security plugin the response blocks the username information:
{"code":"itsec_rest_api_access_restricted","message":"You do not have sufficient permission to access this endpoint. Access to REST API requests is restricted by iThemes Security settings.","data":{"status":401}}
Method 2
Scan by using the WordPress JSON REST ‘users’ Endpoint:
curl https://www.wordpress-website-to-check.com/wp-json/wp/v2/users
The json response reveals the username:
[{"id":1,"name":"test3","url":"","description":"","link":"https:\/\/www.wordpress-website-to-check.com\/author\/username1\/","slug":"username1","meta":[],"_links":{"self":[{"href":"https:\/\/www.wordpress-website-to-check.com\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/www.wordpress-website-to-check.com\/wp-json\/wp\/v2\/users"}]}}]
Solution 2
Use a security plugin such as iThemes Security Plugin.
After using a security plugin the response blocks the username information:
{"code":"rest_cannot_access","message":"Only authenticated users can access the REST API.","data":{"status":401}}
Method 3
WordPress theme is leaking usernames instead of nicknames
Yoast SEO plugin is publishing metadata about the post’s author
Search your HTML source for your known usernames to confirm the WordPress theme is publishing your usernames.
Solution 3
Install a plugin to replace author usernames by using nicknames instead.
B – When Everything Else Fails – Block Username Scanning via o-embed
Method 4
Most username scanning methods have been published on many websites. A less commonly known tactic is to scan the ‘/oembed/1.0/embed’ endpoint to extract WordPress usernames:
curl https://www.wordpress-website-to-check.com/wp-json/oembed/1.0/embed?url=https://www.wordpress-website-to-check.com/
json response:
{"version":"1.0","provider_name":"WEBSITE NAME","provider_url":"https:\/\/wordpress-website-to-check.com","author_name":"test3","author_url":"https:\/\/wordpress-website-to-check.com\/author\/username1\/","title":"Home",...
Solution 4
// prevent oembed hack to gain access to usernames
if ( isset( $endpoints['/oembed/1.0/embed'] ) ) {
unset( $endpoints['/oembed/1.0/embed'] );
}
After adding code snippet to functions.php
{"code":"rest_no_route","message":"No route was found matching the URL and request method.","data":{"status":404}}
Specto Design’s security team has developed a method to scan and analyze failed login attempts with active usernames. Through this method we are able to confirm that a website is leaking usernames and work on locating the cause and provide a fix.
