Home Blog WordPress Security How to Enumerate WordPress Users with WPScan

WPScan command to launch a user enumeration test

How to Enumerate WordPress Users with WPScan

The WPScan security scanner may be regarded a Swiss army knife of WordPress security. Aside from using WPScan to detect vulnerable plugins, themes and WordPress core installations, WPScan can also be used for an attack known as user enumeration.

What is WordPress user enumeration?

In a user enumeration attack, an attacker looks for subtle differences in how WordPress responds to specific requests. Depending on the response, the attacker can determine whether a user exists or not.

While at first glance this may seem harmless, keep in mind that an attacker may be able to use this information as part of a larger attack.

By default, WordPress is vulnerable to user enumeration, which means that you would likely need to make some small changes in your web server configuration to protect against such attacks. This is where WPScan’s user enumeration tool comes in — it helps you quickly identify if a WordPress installation is vulnerable to user enumeration.

By running the following command, WPScan will attempt to enumerate all users on a given WordPress installation. If successful, it will display a result similar to the below screenshot.

wpscan –url http://example.com –enumerate u

Why does user enumeration work on WordPress?

WordPress user enumeration works on every WordPress site by default because of a WordPress feature called permalinks. Permalinks are permanent URLs to individual WordPress posts and pages — (e.g. http://example.com/?p=123).

In addition to posts and pages, WordPress also allows you to list all posts by a particular author’s username (e.g. http://example.com/author/andy). However, crucially, WordPress also allows you to refer to authors using their ID (e.g. http://example.com/?author=2), and then redirects you to the previously mentioned URL containing the username. It is possible for attackers to abuse this functionality to figure out which usernames are valid for a particular WordPress site.

To make matters worse, the above method also works for users who are not actually authors of posts or pages. Notice that even though the below screenshot shows an error, WordPress still returns the username in question.

Incidentally, there are also other ways for attackers to obtain a list of WordPress users, of which WPScan supports several. One such example is to use the REST APIs within WordPress which is enabled by default.

What happens if an attacker knows the usernames of your WordPress users?

There are no direct impact problems that are derived from an attacker knowing the usernames on your WordPress website. However, every targeted hack attack starts with information gathering. During this process attackers try to gather as much information as they can about the target website. They look for information such as usernames, names of installed plugins, themes, their versions and several other factors.

Attackers then use all the gathered information to try to find ways how to attack the target website. Therefore even though an attacker cannot exactly hack your website by knowing the usernames, the more information you can hide from them, the better it is.

How do I prevent user enumeration on my WordPress site?

WordPress leaks usernames in several ways. In truth there is no way to fully prevent user enumeration, particularly if your website makes use of authors pages. However, you can certainly reduce the attack surface and make user enumeration harder by following the below steps:

  1. Disable the WordPress REST API if you are not using it,
  2. Disable WordPress XML-RPC if you are not using it,
  3. Configure your web server to block requests to /?author=<number>,
  4. Don’t expose /wp-admin and /wp-login.php directly to the public Internet.

Protecting from user enumeration is just one of many things you should do for a secure WordPress site. Read these WordPress security best practices which will help you harden your WordPress website.


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon

The survey results are in: Find out what your WordPress security gameplan might be missing

Close

The survey results are in: Find out what your WordPress security gameplan might be missing

Uploading Melapress Login Security as a zip file in WordPress
Melapress Login Security in the WordPress plugin repository
Close

Installing Melapress Login Security Free

Congratulations on taking control of your WordPress website's security by implementing robust login and password policies with Melapress Login Security. You can change your login page URL, limit failed login attempts, and reset passwords.

 

Below are two ways to install Melapress Login Security on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for Melapress Login Security.

Download the Melapress Login Security plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading CAPTCHA 4WP as a zip file in WordPress
CAPTCHA 4WP in the WordPress plugin repository
Close

Installing CAPTCHA 4WP Free

Well done you. You're one step closer to safeguarding your WordPress website from spam and automated attacks with CAPTCHA 4WP. You'll be able to effortlessly integrate CAPTCHA into your forms and enjoy a website with enhanced security.

 

Below are two ways to install CAPTCHA 4WP on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for CAPTCHA 4WP.

Download the CAPTCHA 4WP plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading WP Activity Log as a zip file in WordPress
WP Activity Log in the WordPress plugin repository
Close

Installing WP Activity Log Free on your website

You deserve a pat on the back for choosing to record user actions and changes on your website. That is the first step towards better user accountability, easier troubleshooting of website security, and many other benefits of issues.

 

Below are the two ways to install WP Activity Log on your website:

Go to your plugin dashboard on your site, then go to "Add New" and then search for WP Activity Log.

Download the WP Activity Log plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2

Uploading WP 2FA as a zip file in WordPress
WP 2FA in the WordPress plugin repository
Close

Installing WP 2FA Free

Congratulations on taking the first step towards enhancing your WordPress site's security with WP 2FA Free! You're now on your way to protecting your valuable data and ensuring peace of mind. No coding or technical knowledge is required.

 

Below are two ways to install WP 2FA on your website:

Go to your plugin dashboard on your site, then go to "Add New", and then search for WP 2FA.

Download the WP 2FA plugin zip, then select upload in your plugin dashboard under "Add New".

OPTION 1

OPTION 2