Username Extracted From RSS feeds

  • Resolved David Adams

    (@tictag)


    2 years, 1 month ago

    Your plugin prevents the exposure of usernames via a selectable option, “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps”, which is great.

    A wpscan of my site however found usernames via analysis of the site’s RSS feeds.

    Yes, there are plenty of plugins that, and articles showing you how to, disable the default RSS feeds (e.g. https://www.wpbeginner.com/wp-tutorials/how-to-disable-rss-feeds-in-wordpress/) but isn’t this something Wordfence should also be able to do? I mean, it’s just really an extension of the option above.

    Note: you wouldn’t have to mess around with WordPress actions per the article above, a simple RewriteRule ^feed/$ - [R=400,L] in the root .htaccess would presumably do the trick.

    David.

    • This topic was modified 2 years, 1 month ago by David Adams.
    • This topic was modified 2 years, 1 month ago by David Adams.
Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    2 years, 1 month ago

    Hi @tictag, thanks for getting in touch.

    The “Prevent discovery of usernames…” feature can certainly still be useful but is a more long-standing feature in Wordfence when preventing username discovery was considered higher importance in the wider WordPress community. It certainly would be worth me raising a development request with the team over adding an RSS disable feature, as we’re always looking for ways to improve the plugin for our customers.

    Just to clarify what I meant about “higher importance”, an email address or even legitimate WordPress username being exposed isn’t generally considered a security issue by WordPress themselves: https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue

    To best protect yourself, make sure all admin accounts and those with high level access (e.g. with publisher access) use a strong password and 2FA. WordPress can auto generate a very strong password for you on an account page. We recommend using a password manager to store and/or generate your complex passwords that are exceedingly difficult to remember.

    Thanks,

    Peter.

Viewing 1 replies (of 1 total)
  • The topic ‘Username Extracted From RSS feeds’ is closed to new replies.