[wp-hackers] Author URLs expose usernames
highfive at jesserfriedman.com
Tue Jul 17 10:31:14 UTC 2012
One thing I always tell my clients is to make front facing authors as low
on the role capabilities as possible. If that means having two accounts one
administrator and the other author or subscriber level so be it.
Never author anything as an admin
This is more a tip and less of a solution
On Jul 17, 2012 5:57 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
> Not a new issue by any means, but we're seeing an increasing number of
> attacks where:
> * Usernames are first enumerated by visiting ?author=<id> and checking
> the username slug in the redirect URL
> * Brute-force password attacks are then carried out against those accounts
> I wondered whether WP might already have some mechanism for using
> something else as an author slug, or for not redirecting ?author=. Or, if
> not, whether something should be added or changed?
> I realise usernames are probably used because nothing else in wp_user has
> permanence, but this is very much not ideal for us. We run a couple of big
> members-only BuddyPress sites. And like all such sites, they have user
> accounts with crap passwords. We have other controls to try to limit that,
> but the reality is that accessing the site is extremely trivial for an
> attacker if usernames can be enumerated, because at least a couple of them
> will have passwords in the top 10 list, which will therefore be guessed
> before our systems notice the attack and ban the IP/reset the password.
> For the moment, we're 403ing requests for ?author=. Not exactly optimal as
> sites can still be spidered to look for /author/[username] links, but at
> least it stops the naive attack.
> Has anyone else done anything to deal with these sorts of attacks?
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
More information about the wp-hackers