Support » Plugin: iThemes Security (formerly Better WP Security) » Protection from username enumeration?

  • Hi I was wondering if iThemes will be updated to offer protection from username enumeration. I read a recent post that WP 4.7’s full integration with the REST API, has made it really easy for hackers to get listings of usernames and other data from a simple URL. It essentially lists all usernames and other user data in JSON.

    I’m hoping protection against this will be in the works soon!

Viewing 4 replies - 1 through 4 (of 4 total)
  • @scottm-ldg

    According to the 5.9.0 Changelog:

    New Feature: Added a “REST API” feature in the WordPress Tweaks section. This new feature allows you to block or restrict access to the REST API.

    So the feature you are looking for is already there.

    For anyone wondering what this is about read this.

    Yes that article is where I got the info from. My problem is that I can’t use Wordfence on one of my clients websites so I’m relying only on iThemes Security to fix the problem. Unfortunately, in its current state iThemes Security doesn’t fix the problem, when I go to my clients site that only has iThemes Security installed and run the URL I still get that JSON list of usernames.

    I’m hoping we’ll see a patch coming soon because I can’t install Wordfence on that one clients website without creating other problem for them.

    @scottm-ldg

    I just tested the feature and it seems to work properly …

    Did you actually go into the iTSec plugin WordPress Tweaks module and select the “Disable REST API (recommended)” option for the REST API setting ?
    It seems the setting is default set to “Enable REST API”.

    And don’t forget to save your settings after making any changes 😉

    That did seem to do it, I must have missed the setting to disable REST API in the WordPress tweaks. Thanks for the redirect :]

    I will say however that solution is a bit of a meat-cleaver solution – turning off REST all together, I do hope iThemes Security are able to add a check for that one vulnerability so we can still have access to the other benefits of REST.

    For now however I’m just glad to have this protection on that one site. Thanks again for you your help proni!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Protection from username enumeration?’ is closed to new replies.