Stop user enumeration for security.
| Author: | Carlos Montiers Aguilera (profile at wordpress.org) |
| WordPress version required: | 2.9 |
| WordPress version tested: | 5.2.6 |
| Plugin version: | 1.3.2 |
| Added to WordPress repository: | 04-04-2016 |
| Last updated: | 23-10-2019
Warning! This plugin has not been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
|
| Rating, %: | 0 |
| Rated by: | 0 |
| Plugin URI: | |
| Total downloads: | 3 701 |
| Active installs: | 900+ |
 Click to start download |
|
In many WordPress installations is possible enumerate usernames through the author archives, using urls like this:
http://wpsite/?author=1
http://wpsite/?author=1/
http://wpsite/?bypass=1&author%00=1
http://wpsite/?author%00=%001
http://wpsite/?%61uthor=1
And recently wordpress since 4.7 comes with a rest api integrated that allow list users:
curl -s http://wpsite/wp-json/wp/v2/users/
curl -s http://wpsite/?rest_route=/wp/v2/users
curl http://wpsite/?_method=GET -d rest_route=/wp/v2/users
Know the username of a administrator is the half battle, now an attacker only need guest the password.
This plugin stop it.
Also, is possible get usernames from the post entries.
This plugin, hide the name of the author in a post entry if he is not using a nickname.
Also, hide the url page link of an administrator author.
The main goal is hide the administrators usernames.
Obviously, is better not choose “admin” as the username because is easiliy guessable.
FAQ
ChangeLog