Support » Plugin: Stop User Enumeration » User Found By: Author Posts – Author Pattern

  • Resolved apiosys

    (@apiosys)


    Dear support,

    This plugin usually does the trick (I disable some other stuff as well separately like author sitemaps). But on one site, I can still enumerate one of 4 users using WPScan like so :

    
    [i] User(s) Identified:
    
    [+] firstname-lastname
     | Found By: Author Posts - Author Pattern (Passive Detection)
    

    This isn’t the real name of course but it did detect a user with it’s real firstname, hyphen, lastname. This doesn’t correspond to a login nor nickname but does to the real person’s name. Is the plugin supposed to catch this or not?

    Kind regards,

    Joris.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Alan Fuller

    (@alanfuller)

    The plugin only tries to catch login ids, that is the primary purpose.

    Themes can have many ways of ‘leaking’ real names and that is what the passive detection of WP Scan does. And I don;t attempt to protect against all themes cioding.

    The initial primary purpose was to detect that a site was being scanned by WP Scan ( without permission ) and then to use fail2ban to block that IP at the firewall. On the basis that anyone scanning for something without permission is up to no good.

    Despite the ethical intention of WP Scan team, their tools are used by many less ethical type.

    Thread Starter apiosys

    (@apiosys)

    OK fair enough, thanks for your clear and quick reply. I’ll get rid of that type of scan by other means.

    Thanks.

    Joris.

    Plugin Author Alan Fuller

    (@alanfuller)

    Thanks, I would be interested in seeing if there are improvements though.

    Obviously you would not wish to share the specific link and observation here but if you want to contact me via my homepage with details I will certainly take a look and see what may be possible.

    Thread Starter apiosys

    (@apiosys)

    Thanks for the proposal, I have “solved” it with just an .htaccess 403 on the author pages which weren’t needed anyway. No time to debug the theme of the client neither so let’s call it “fixed”.

    Plugin Author Alan Fuller

    (@alanfuller)

    That might be a useful option to add – just a ‘turn off author pages’ I like the concept as that would be the big leak of names – I’ll add it to the roadmap.

    Thank you for your input.

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.