[wp-hackers] Author URLs expose usernames
harry at dxw.com
Tue Jul 17 09:56:58 UTC 2012
Not a new issue by any means, but we're seeing an increasing number of
* Usernames are first enumerated by visiting ?author=<id> and checking
the username slug in the redirect URL
* Brute-force password attacks are then carried out against those accounts
I wondered whether WP might already have some mechanism for using
something else as an author slug, or for not redirecting ?author=. Or,
if not, whether something should be added or changed?
I realise usernames are probably used because nothing else in wp_user
has permanence, but this is very much not ideal for us. We run a couple
of big members-only BuddyPress sites. And like all such sites, they have
user accounts with crap passwords. We have other controls to try to
limit that, but the reality is that accessing the site is extremely
trivial for an attacker if usernames can be enumerated, because at least
a couple of them will have passwords in the top 10 list, which will
therefore be guessed before our systems notice the attack and ban the
IP/reset the password.
For the moment, we're 403ing requests for ?author=. Not exactly optimal
as sites can still be spidered to look for /author/[username] links, but
at least it stops the naive attack.
Has anyone else done anything to deal with these sorts of attacks?
More information about the wp-hackers