You’re not going to tell me right…of course you’re not!
But did you know unless you’ve taken the necessary steps (or your hosting company/web developer has) a hacker can find out what your username is in a few seconds?
By simply adding the string /?author=(number) to the end of you domain will result in your username being displayed if not protected. Most sites have no more than 2 registered usernames so botnets typically search up to 10 numbers e.g.
https://mywebsite.co.uk/?author=1
https://mywebsite.co.uk/?author=2
https://mywebsite.co.uk/?author=3
etc.
In the screen grab below I’ve added the extra string…
I press enter and… tadaaarr! As if by magic the username ‘test1’ appears in the URL string!
Try it out on your own WordPress website, you may need to keep going up in numbers depending on how your website was built, but it should be under ten. A sure sign that this hole has been patched up by your web dev is that you get nothing back, or an error message or even locked out of that site.
We’re protected
I wouldn’t bother trying on our website, as we are protected and you will find yourself blocked from our website for a month and don’t try it on anyone else’s website without permission, as hacking is illegal and your intentions may be misunderstood.
You’re not protected – now what?
OK so you’re site isn’t protected – anyone can find out what your username is, so what?
Did you hear about the botnets attacking WordPress sites with the username ‘admin’ in the news? Once they have a username half the battle is won, they can run scanners like https://wpscan.org/ – to try hundreds of variations of popular passwords in minutes, once they’re in – it’s not worth thinking about.
Fix it
This hole can be plugged, it’s important that it is fixed as your website is at risk, ask your web developer they should be able to to help – if not get in touch and see what web design Surrey can do.
Our clients are protected as it’s one of a number of security services we provide.
WebMasta says
Adding a slash to url seems to bypass protection, see here:
http://wordpress.org/support/topic/adding-a-slash-to-url-bypasses-protection
llocally says
Many thanks for identifying this. I have made a change to make this get filtered too. See the latest version 1.2.2 here http://wordpress.org/plugins/stop-user-enumeration/
x says
Why not use something like:
RewriteCond %{QUERY_STRING} author [NC]
RewriteRule .* /? [NC,L,R]
RewriteRule author / [NC,L,R]
in your .htaccess file
Alan says
Of course adding rules to .htaccess is a way of blocking this, although of course it requires a level of technical competence that goes beyond installing a plugin. Your rule is fine as far as it goes, however it will break some queries done legitimately from the wp-admin backend, so needs further modification.
The main advantage of the plugin (beyond not filtering if admin) is that it logs attempts to enumerate to the syslog so that (if you have it) fail2ban can be configured to block that IP from ALL access, not just authors. As many attacks start by trying to enumerate the author, by blocking the IP then thwarts the other attempts, e.g. to enumerate plugins, for security weaknesses.
Hope that answers your question.