[wp-hackers] Author URLs expose usernames
Mike Schinkel
mike at newclarity.net
Wed Jul 18 01:04:47 UTC 2012
On Jul 17, 2012, at 5:56 AM, Harry Metcalfe wrote:
> Not a new issue by any means, but we're seeing an increasing number of attacks where:
>
> * Usernames are first enumerated by visiting ?author=<id> and checking
> the username slug in the redirect URL
> * Brute-force password attacks are then carried out against those accounts
Is it not possible to just 404 any URLs like that? Are direct URLs needed anywhere?
Here's code you can drop into your theme do return 404 for those URLs:
class No_Direct_Author_Attack {
function __construct() {
add_action( 'after_setup_theme', array( $this, 'after_setup_theme' ) );
}
function after_setup_theme() {
if ( preg_match( '#/\?author=[0-9]+$#', $_SERVER['REQUEST_URI'] ) ) {
status_header( 404 );
die( '404 — File not found.' );
}
}
}
new No_Direct_Author_Attack;
Hope this helps.
-Mike
More information about the wp-hackers
mailing list