[wp-hackers] Author URLs expose usernames

Harry Metcalfe harry at dxw.com
Tue Jul 17 09:56:58 UTC 2012

Not a new issue by any means, but we're seeing an increasing number of 
attacks where:

  * Usernames are first enumerated by visiting ?author=<id> and checking
    the username slug in the redirect URL
  * Brute-force password attacks are then carried out against those accounts

I wondered whether WP might already have some mechanism for using 
something else as an author slug, or for not redirecting ?author=. Or, 
if not, whether something should be added or changed?

I realise usernames are probably used because nothing else in wp_user 
has permanence, but this is very much not ideal for us. We run a couple 
of big members-only BuddyPress sites. And like all such sites, they have 
user accounts with crap passwords. We have other controls to try to 
limit that, but the reality is that accessing the site is extremely 
trivial for an attacker if usernames can be enumerated, because at least 
a couple of them will have passwords in the top 10 list, which will 
therefore be guessed before our systems notice the attack and ban the 
IP/reset the password.

For the moment, we're 403ing requests for ?author=. Not exactly optimal 
as sites can still be spidered to look for /author/[username] links, but 
at least it stops the naive attack.

Has anyone else done anything to deal with these sorts of attacks?


More information about the wp-hackers mailing list