Support » Plugin: Wordfence Security - Firewall & Malware Scan » Wordfence <= 7.1.12 – Username Enumeration Prevention Bypass

  • Resolved sergeyf1

    (@sergeyf1)


    Hello,

    I have a short question. I recently received a newsletter from WPvulndb.com, in which there was a message that a vulnerability was found in Wordfence 7.1.12. Security bug was fixed in Wordfence 7.1.14, according to WPvulndb.com. Can you confirm that the vulnerability has been fixed in all new versions of Wordfence? I’m a little worried, so I decided to ask you directly. I hope for your answer. Thank you very much for the great plugin and your work.

    Additional Information
    Wordfence <= 7.1.12 – Username Enumeration Prevention Bypass
    https://wpvulndb.com/vulnerabilities/9135

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi @sergeyf1!

    I think I may already have replied to you in an email, but for everyone elses benefit:

    By default, WordPress discloses usernames. If you browse to http://www.example.com/?author=1 on a WordPress site you are sent to the authors page, and there the username is displayed. Wordfence has a function that prevents this, so that you can not browse to http://www.example.com/?author=1 if you have the Wordfence option “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API” enabled. What was discovered was that if you add [] after “author” you could still see the author page even if you had Wordfence and even if that option was enabled.

    This has been fixed. It’s not something that will reoccur in future versions of Wordfence.

    Please note that some themes and plugins disclose usernames as well and we are not able to stop that. It’s important to always use secure passwords. Relying on your username not being known is not enough to keep your site secure.

    Hello,

    Thank you very much for your reply and useful information. Thank you also for your work and a wonderful plugin. In addition to your answer, I recommend everyone to read a very interesting section on the Wordfence website. There are many good articles about website security in this educational section. Thank you again.

    Learn Centre: https://www.wordfence.com/learn/

    Along these same lines, in my opinion it is worth utilizing unused author-user numbers as a honey pot. On the Wordfence “All options” page, in the “Immediately block URLS” list, add a few unused author numbers. When the criminals attempt to find an author (WordPress “user”) to exploit, they’ll get blocked. You can research active user numbers by simply mousing over the “users” list in WordPress.

    Example below is from my “Immediatly block URLs” list in Wordfence:

    /—NOTE-below-blocks-author-scans-using-unused-numbers
    /?author=6
    /?author=7
    /?author=8
    /?author=19
    /?author=22
    /?author=36
    /?author=44
    /?author=46
    /?author=47
    /?author=50

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Wordfence <= 7.1.12 – Username Enumeration Prevention Bypass’ is closed to new replies.