Hackers search for user_login because they can use it to run brute-force attacks, but not user_nicename. You want to hide it from what type of user enumeration attempt?
user_nicename has the WordPress login username. The following displays the user_nicename (WordPress login username). Obviously one can change the user_nicename but I need to know how NFW removes or hides this for Nginx.
https://domain.com/author/john/ via https://domain.com/?author=1
https://domain.com/wp-json/wp/v2/users/?per_page=100&page=1
-
This reply was modified 5 years, 3 months ago by
eddyferns.
This is blocked by “Firewall Policies > Protect against username enumeration > Through the author archives”:
https://domain.com/author/john/ via https://domain.com/?author=1
This is blocked by “Firewall Policies > Protect against username enumeration > Through the WordPress REST API”:
https://domain.com/wp-json/wp/v2/users/?per_page=100&page=1
I am aware of these options.
Was referring to the code that you use. Whether you you utilize rewrite rules, if statements etc.
We don’t use rewrite rules in NinjaFirewall, they all can be easily bypassed and wouldn’t work with Nginx. The firewall hooks into WordPress API instead, that’s much more efficient and compatible with any HTTP server.
The rewrite rules worked with Nginx as I tried it myself. But Nginx strongly recommends against it.
As long as NFW doesn’t involve the server I think that should be alright.
For https://domain.com/?author=1, does NFW redirects to the home page?
That’s correct. As indicated in the doc:
This option will prevent access to the author archives page. Note that NinjaFirewall will not block the request but will invalidate it and redirect the user to the blog index page. The reason is that search engines such as Google may try to index that page and it is better to nicely redirect them rather than returning a 403 Forbidden message and closing the connection.
I heard that in case of a redirect the bot scanners do not follow the link but instead pick the author name which then doesn’t meet the security objective.
If that is the case wouldn’t it be better to return a blank page instead?
Bots will search for the user name in the HTML page, but here they won’t find it.
