Support » Plugin: Stop User Enumeration » hacker keeps trying to break in through the XML-RPC gateway.

  • Resolved tcwilli1

    (@tcwilli1)


    I changed the user’s name, the password, and the email address of the admin, and the hacker keep finding the new user’s name. I deleted all the themes and plugins I am not using. the hacker keeps trying to break in through the XML-RPC gateway.

    • This topic was modified 2 months, 3 weeks ago by tcwilli1.
    • This topic was modified 2 months, 3 weeks ago by tcwilli1.
    • This topic was modified 2 months, 3 weeks ago by Yui. Reason: renamed topic, not informative name
Viewing 6 replies - 1 through 6 (of 6 total)
  • tcwilli1, hi there.

    Often leaked admin/author usernames are caused by an active theme, and this plugin can’t protect you from such issues.

    Thread Starter tcwilli1

    (@tcwilli1)

    Thank you for the answer. I will change the theme. I was using a WordPress theme.

    tcwilli1, not sure it will work, cause almost each theme have such author/information block (even commented). Maybe you should create a child theme w/o author links/bio/info instead?

    Plugin Author Alan Fuller

    (@alanfuller)

    Good morning.

    It is great to see the community helping out, this is the way the opensource project is meant to work. Thanks @m0ze

    mOze is exactly right in terms of links, in that WP has by default an author archive and that is often ( depending on theme ) linked to by on post meta. unfortunately the author archive exposes the underlying user name e.g. example.com/author/fred

    So a hacker can manually, or through link scraping, also find the user name.

    This plugin looks at a specific attack vector – used by automated hacking tools – user enumeration, where an attacker can simple loop through numbers e.g. example.com?author=1
    example.com?author=2
    etc

    When I built this plugin some 8 years ago the intention was totally (as it can today) link it to Fail2Ban so when an automated tool tries user enumeration technique, the IP is banned and hence stopping the tool in its tracks.

    Since I built this plugin, other security tools, including WordFence ( which at one time has my exact code line by line – its GPL so thats OK – attribution would have been nice though ) started stopping user enumeration and so the hackers had to use different techniques.

    The tool is still valid today against user enumeration, but is has less effect as it doesn’t try and stop other techniques that hackers have developed.

    As well as link scraping, one common way of obtaining the user name is via the XML feed. However this is only because many people don’t bother to fill in the user details so if you just create a user without a first name that is different from the user name the ‘Display Name’ is the user name. Having ‘Display Name’ as user name is very common and a great way for automated tools to guess user names.

    So go check you Display Names are different to user names.

    One day I might write some code to check / enforce display name / nick name / user names are different. As it is open source, if anyone want to contribute code please feel free.

    Plugin Author Alan Fuller

    (@alanfuller)

    Try the latest version, go to setting and enable restrict the sitemap leak.

    Plugin Author Alan Fuller

    (@alanfuller)

    I’ll close this off as you have not come back and I am confident the current version will restrict this.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.