[wp-hackers] Author URLs expose usernames

Daniel Fenn danielx386 at gmail.com
Tue Jul 17 10:36:38 UTC 2012

Adding to that dont use admin or anything like that for the admin
account but you could get smart and have an account called admin but
only give it author level permission.

On 7/17/12, Jesse Friedman <highfive at jesserfriedman.com> wrote:
> One thing I always tell my clients is to make front facing authors as low
> on the role capabilities as possible. If that means having two accounts one
> administrator and the other author or subscriber level so be it.
> Never author anything as an admin
> This is more a tip and less of a solution
> Jesse
> On Jul 17, 2012 5:57 AM, "Harry Metcalfe" <harry at dxw.com> wrote:
>> Not a new issue by any means, but we're seeing an increasing number of
>> attacks where:
>>  * Usernames are first enumerated by visiting ?author=<id> and checking
>>    the username slug in the redirect URL
>>  * Brute-force password attacks are then carried out against those
>> accounts
>> I wondered whether WP might already have some mechanism for using
>> something else as an author slug, or for not redirecting ?author=. Or, if
>> not, whether something should be added or changed?
>> I realise usernames are probably used because nothing else in wp_user has
>> permanence, but this is very much not ideal for us. We run a couple of
>> big
>> members-only BuddyPress sites. And like all such sites, they have user
>> accounts with crap passwords. We have other controls to try to limit
>> that,
>> but the reality is that accessing the site is extremely trivial for an
>> attacker if usernames can be enumerated, because at least a couple of
>> them
>> will have passwords in the top 10 list, which will therefore be guessed
>> before our systems notice the attack and ban the IP/reset the password.
>> For the moment, we're 403ing requests for ?author=. Not exactly optimal
>> as
>> sites can still be spidered to look for /author/[username] links, but at
>> least it stops the naive attack.
>> Has anyone else done anything to deal with these sorts of attacks?
>> Harry
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Daniel Fenn

More information about the wp-hackers mailing list