How To: Enumerate WordPress Users(and how to fix it)

  • by Amando Abreu
  • on 18 February 2019

A common attack vector for WordPress is to enumerate users and see what juicy data you can get, and potentially try to bruteforce the password, or even use known passwords from leaks on other services.

This is easily done because if you browse to /?author=1, WordPress will kindly redirect you to /author/name/ and literally hand over the information you want

for i in {1..5}; do curl -s -L -i http://www.wordpress-site.com/?author=$i | grep -E -o "" title="View all posts by [a-z0-9A-Z-.]|Location:." | sed 's/// /g' | cut -f 6 -d ' ' | grep -v "^$"; done

The fix

Place this code in your functions.php file.

if (!is_admin()) {
    // default URL format
    if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
    add_filter('redirect_canonical', 'shapeSpace_check_enum', 10, 2);
}

function shapeSpace_check_enum($redirect, $request) {
   // permalink URL format
   if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();
      else return $redirect;
}

About the author

Amando Abreu is a serial entrepreneur, Fractional CTO, and engineer who has been involved in several startups and launched dozens of products. He has worked with companies such as trivago, Portugal Telecom, and Vizrt. He has experience in several industries, most notably e-commerce, SaaS, media, travel, insurance, property development, and construction.
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Get the latest business focused tech tips!

No comments, just