[wp-hackers] Author URLs expose usernames (Harry Metcalfe)

John dailyrants at gmail.com
Tue Jul 17 11:57:10 UTC 2012

The WP Author Slug plugin will use the display name for the slug instead of
the login name.


> ------------------------------
> Message: 2
> Date: Tue, 17 Jul 2012 10:56:58 +0100
> From: Harry Metcalfe <harry at dxw.com>
> Subject: [wp-hackers] Author URLs expose usernames
> To: wp-hackers at lists.automattic.com
> Message-ID: <500536EA.2000103 at dxw.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Not a new issue by any means, but we're seeing an increasing number of
> attacks where:
>   * Usernames are first enumerated by visiting ?author=<id> and checking
>     the username slug in the redirect URL
>   * Brute-force password attacks are then carried out against those
> accounts
> I wondered whether WP might already have some mechanism for using
> something else as an author slug, or for not redirecting ?author=. Or,
> if not, whether something should be added or changed?
> I realise usernames are probably used because nothing else in wp_user
> has permanence, but this is very much not ideal for us. We run a couple
> of big members-only BuddyPress sites. And like all such sites, they have
> user accounts with crap passwords. We have other controls to try to
> limit that, but the reality is that accessing the site is extremely
> trivial for an attacker if usernames can be enumerated, because at least
> a couple of them will have passwords in the top 10 list, which will
> therefore be guessed before our systems notice the attack and ban the
> IP/reset the password.
> For the moment, we're 403ing requests for ?author=. Not exactly optimal
> as sites can still be spidered to look for /author/[username] links, but
> at least it stops the naive attack.
> Has anyone else done anything to deal with these sorts of attacks?
> Harry

More information about the wp-hackers mailing list