[wp-hackers] Author URLs expose usernames

Mike Schinkel mike at newclarity.net
Wed Jul 18 01:04:47 UTC 2012


On Jul 17, 2012, at 5:56 AM, Harry Metcalfe wrote:
> Not a new issue by any means, but we're seeing an increasing number of attacks where:
> 
> * Usernames are first enumerated by visiting ?author=<id> and checking
>   the username slug in the redirect URL
> * Brute-force password attacks are then carried out against those accounts

Is it not possible to just 404 any URLs like that? Are direct URLs needed anywhere?  

Here's code you can drop into your theme do return 404 for those URLs:

class No_Direct_Author_Attack {
	function __construct() {
		add_action( 'after_setup_theme', array( $this, 'after_setup_theme' ) );
	}
	function after_setup_theme() {
		if ( preg_match( '#/\?author=[0-9]+$#', $_SERVER['REQUEST_URI'] ) ) {
			status_header( 404 );
			die( '404 &#8212; File not found.' );
		}
	}
}
new No_Direct_Author_Attack;

Hope this helps.

-Mike



More information about the wp-hackers mailing list