Support » Fixing WordPress » Hide WordPress users

  • We’ve launched a couple of sites for different clients and installed a limit login attempts plugin. But we’ve noticed that they tried to login with usernames that aren’t visible on the site but that are in the admin. How can I hide all usernames so that those hacking bots can’t find them?

Viewing 6 replies - 1 through 6 (of 6 total)
  • Hi Rolf,

    It seems that somebody (a bot?) managed to enumerate the usernames and tried to log in using them; That could be easily stopped using more than one method:

    The simplest approach is to block the most trivial user enumeration at the server level, by adding the following code in the “.htaccess” file in your website root directory:

    # Stop User ID Phishing
    <IfModule mod_rewrite.c>
    	RewriteCond %{QUERY_STRING} ^author=([0-9]*) [NC]
    	RewriteRule .* http://your-domain.com/? [L,R=302]
    </IfModule>

    Please beware that before adding this code to “.htaccess” you need to go to “Settings” -> “Permalinks” and switch permalinks to any setting except the default “Plain”, then you need to replace “your-domain.com” in the code above with your own domain name.

    Another approach is to use a plugin like WPBruiser, which has an option named “Prevent User Enumeration” in its “Security” tab that literally “Prevents bots from enumerating users through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”.
    That’s a pretty easy and powerful thing to do, and there’s other security goodies included for website protection.

    Good luck and have fun! I’d love to know which approach you choose and the results you get!
    Alex.

    Thread Starter rolf.databoss

    (@rolfdataboss)

    Hi Alex,

    Thanks for the response. Why is it that the usernames are that easy accessible? Wouldn’t it be smarter to fix that on the WordPress level? Especially with the gdpr-law coming up in Europe.

    • This reply was modified 2 years, 9 months ago by rolf.databoss.

    Welcome Rolf,

    With such a vast array of situations where WordPress could be used it’s hard to predict all the things people could do to it,
    But the good thing is that it’s pluggable enough that it can be easily protected (beside turning it into … almost anything 🙂 )

    So, which approach would you choose from the above? Code or plugin? If you could disclose this, of course!

    Cheers!
    Alex.

    Thread Starter rolf.databoss

    (@rolfdataboss)

    Hi Alex,

    We’ve found an approach that is more suitable for the many sites we have. Installing an extra plugin or editing the htaccess would take up too much time.

    We’re gonna make an author.php and upload that to the (child)theme with the code:

    <?php
    $location = "Location: ".get_site_url();
    header("HTTP/1.1 301 Moved Permanently");
    header($location);
    ?>

    An upload only takes a few moments.

    Greets,
    Rolf

    • This reply was modified 2 years, 9 months ago by rolf.databoss.

    Ahh, about the GDPR … I guess first technical solutions will start to show up across web in the form of functions developed by independent developers to cover various issues they encounter; then some of these functions will become more widely known, improved and used; then based on these some plugins will start to pop in the Plugin Directory … maybe some well-known plugins will include these … and so on, something like this.
    This is the way it evolves all the time 🙂

    Hi Rolf, thanks for coming back with a solution,

    I understand the need to quickly upload the fix to a lot of websites, but I suspect redirecting user archives will not stop bots from enumerating your usernames (read below why),

    First, if you would like a quick solution easy to upload please use this file – just unzip, then upload the “stop-wordpress-user-phishing.php” file directly in the /wp-contents/plugins/ directory of each website, then go to Plugins and activate this plugin, named “Stop Username Phishing”.

    It’s just one step more than just uploading and it’s guaranteed to work (and tested).

    If you would like to see what’s in the file before downloading please see it here: https://gist.github.com/alexmoise/d5d9073e6165d4e5ac098a184d5405e6

    ===

    Now, why redirecting author archive to site homepage will not prevent bots from enumerate your usernames: The mechanism used by user phishing bots is a bit different and works before that;

    These bots access the website using these URLs:

    http://your-domain.com/?author=1
    http://your-domain.com/?author=2
    … and so on,

    Then they get back from the website the address where the author archive is, which translates into something like:
    http://your-domain.com/?author=1 -> http://your-domain.com/author/admin
    http://your-domain.com/?author=2 -> http://your-domain.com/author/anotheruser
    … etc.

    But then, the bot doesn’t actually follow that newly obtained link; instead the bot removes the “http://your-domain.com/author/&#8221; from the author archive URL sent by the website and stores the list of users; then accesses the “http://your-domain.com/wp-login.php&#8221; and fils the username field with the username and the password with dictionary words …

    So, we need to drop the communication right after receiving the request to access something that contains “?author=” – that’s way there’s a “die();” thing in the file above 🙂

    That’s all, hope it helps!
    Cheers!
    Alex.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Hide WordPress users’ is closed to new replies.