Rise Company
15-11-2020, 03:04
ÍãÇíÉ ÇáææÑÏÈÑíÓ WordPress ßíÝ íÚÑÝ ÇáåßÑ ÇáÇÏãä wordpress username is known
Here’s How Hackers Can Find your WordPress Username
https://www.rise.company/forum/images/imported/2020/11/19.jpg
So you’ve taken pains to hide your WordPress login and admin screens from hackers. You’ve changed your default usernames, and removed all mention of them from your theme. You’re safe right? There’s no way that hackers can find your login pages, let alone your usernames. Wrong! Unless you take precautions, here’s how hackers can find your WordPress username with ease. And not just yours – those of everyone on the site.
Two Methods:
Method 1: Using /?author=1 Query Parameter
Fix 1: Modifying .htaccess
Fix 2: Adding a Code Snippet to WordPress
Fix 3: Use Cloudflare Page or Firewall Rules
Method 2: Using WordPress JSON REST Endpoints
Fix: Disable via Code
Method 1: Using /?author=1 Query Parameter
One day, I had just set up a new blog and thought I’d hidden my admin areas pretty well. To my surprise, my security plugins started sending me lockout notices. This means that not only were hackers able to find my login page, they were able to guess my WordPress username as well! I opened up my raw access logs in cPanel, and found this:
https://www.rise.company/forum/images/imported/2020/11/18.jpg
“author” Parameter
Apparently, hackers can find your username in WordPress by appending the query
/?author=1!
You can see in the screenshot above, that my server immediately returned the author page – which of course,
revealed the username. So forget about making your username difficult to guess. It’s right out there in the open!
Here’s how it looks. First, type in your blog name and type /?author=1 after the URL like this:
https://www.rise.company/forum/images/imported/2020/11/19.jpg
Append Author Parameter
This will immediately redirect to your author page like so:
https://www.rise.company/forum/images/imported/2020/11/20.jpg
Hackers can find your WordPress Username
Some experts claim that exposing WordPress usernames is not a security risk (https://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-risk). According to them, creating a strong password and using two factor authentication is the right way to go about it. But I say there’s nothing wrong in hiding as much information as possible from hackers. Maybe if someone is truly determined to know my username, they can. But that doesn’t mean I have to make it easy for them! I want potential attackers to work to break into my site. Hopefully, this will deter 90% of them.
If hackers don’t know your username, they won’t spam your site trying to guess your password. This means less load on your server. I’ve been brought down once before by hackers DDoS’ing my login page. I don’t want to risk that again.
So how do we close this loophole? There are two ways to prevent WordPress from revealing your author name via the parameter hack.
Fix 1: Modifying .htaccess
This is my preferred technique because it’s much faster than the alternative. By creating a simple .htaccess rule, you can immediately block all attempts to access your WordPress username via the ?author parameter. If you have access to it, open the hidden “.htacces” file in the root directory of your WordPress installation, and paste in the following code at the end:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]
Here’s what the WordPress .htaccess looks with the above code added on:
https://www.rise.company/forum/images/imported/2020/11/21.jpg
Add Rewrite Rules
These rules check to see that you’re not in the admin area, and whether or not someone is attempting to access the “author” query parameter. If the conditions are met, it simply redirects back to the WordPress homepage. Problem solved!
After implementing this code in my .htaccess, the raw access log entry looks like this:
https://www.rise.company/upload/uploads/160540377499591.jpg
Redirecting to the Home Page Now
So even though someone has attempted to find out my username by typing “/?author=1”, the server smartly sends back the homepage of my blog. This is an extremely fast process, and hardly uses any server resources. So it’s the efficient and preferred way.
But what if you can’t make changes to .htaccess? Then the second method is the one for you.
Fix 2: Adding a Code Snippet to WordPress
The second method is to add a code snippet to WordPress that accomplishes the same. If you don’t know how, read my earlier
step by step tutorial on how to do this. Here is the code you need to paste into your custom plugin or functions.php:
function redirect_to_home_if_author_parameter() {
$is_author_set = get_query_var( 'author', '' );
if ( $is_author_set != '' && !is_admin()) {
wp_redirect( home_url(), 301 );
exit;
}
}
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );
Like the .htaccess code, this does exactly the same thing. It checks to see if you’re not in the admin area, and whether or not someone is trying to access the author name via the “?author” parameter. If so, it redirects back to the home page.
The difference is that this executes at the WordPress level, and is therefore slightly more inefficient than the first method. But if you don’t have access to .htaccess, it’s the only other way. Checking your access logs will reveal the exact same thing regardless of which method you choose.
So while some might deny that revealing usernames is a security threat, my principle is that the harder you make it for someone to snoop around your website, the better. And if you want to prevent brute force attacks, and to prevent hackers from finding your WordPress username, one of these two snippets of code will do the trick!
Fix 3: Use Cloudflare Page or Firewall Rules
A lot of websites use Cloudflare anyway, so this is an easy solution. Just add a new page rule or a firewall rule to exclude the problematic URL. You can either redirect the page to the home page, or block it altogether. The free version of Cloudflare comes with 3 free page rules and 3 free firewall rules that you’re probably not using anyway. So we might as well utilize them!
Method 2: Using WordPress JSON REST Endpoints
Visit the following URL on your WordPress site:
https://[yoursite]/wp-json/wp/v2/users/1
Replace [yoursite] with your site name. You should get something like this:
https://www.rise.company/upload/uploads/160540377517582.png
Get the Username via wp-json
That’s your WordPress username in plain sight! This is because WordPress exposes certain REST APIs
by default and this allows anyone to enumerate the users via JSON.
Fix: Disable via Code
Fortunately, we can just disable these endpoints via this simple code snippet:
function disable_rest_endpoints ( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
}
return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_rest_endpoints');
After you’ve saved your changes, users will be met with this message instead:
https://www.rise.company/upload/uploads/160540377524973.png
WordPress Rest Endpoint JSON Disabled
Blocking these two methods should make it hard for hackers to get a hold of your username!
ÇáãÑÌÚ:
https://www.wp-tweaks.com/hackers-can-find-your-wordpress-username/
Here’s How Hackers Can Find your WordPress Username
https://www.rise.company/forum/images/imported/2020/11/19.jpg
So you’ve taken pains to hide your WordPress login and admin screens from hackers. You’ve changed your default usernames, and removed all mention of them from your theme. You’re safe right? There’s no way that hackers can find your login pages, let alone your usernames. Wrong! Unless you take precautions, here’s how hackers can find your WordPress username with ease. And not just yours – those of everyone on the site.
Two Methods:
Method 1: Using /?author=1 Query Parameter
Fix 1: Modifying .htaccess
Fix 2: Adding a Code Snippet to WordPress
Fix 3: Use Cloudflare Page or Firewall Rules
Method 2: Using WordPress JSON REST Endpoints
Fix: Disable via Code
Method 1: Using /?author=1 Query Parameter
One day, I had just set up a new blog and thought I’d hidden my admin areas pretty well. To my surprise, my security plugins started sending me lockout notices. This means that not only were hackers able to find my login page, they were able to guess my WordPress username as well! I opened up my raw access logs in cPanel, and found this:
https://www.rise.company/forum/images/imported/2020/11/18.jpg
“author” Parameter
Apparently, hackers can find your username in WordPress by appending the query
/?author=1!
You can see in the screenshot above, that my server immediately returned the author page – which of course,
revealed the username. So forget about making your username difficult to guess. It’s right out there in the open!
Here’s how it looks. First, type in your blog name and type /?author=1 after the URL like this:
https://www.rise.company/forum/images/imported/2020/11/19.jpg
Append Author Parameter
This will immediately redirect to your author page like so:
https://www.rise.company/forum/images/imported/2020/11/20.jpg
Hackers can find your WordPress Username
Some experts claim that exposing WordPress usernames is not a security risk (https://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-risk). According to them, creating a strong password and using two factor authentication is the right way to go about it. But I say there’s nothing wrong in hiding as much information as possible from hackers. Maybe if someone is truly determined to know my username, they can. But that doesn’t mean I have to make it easy for them! I want potential attackers to work to break into my site. Hopefully, this will deter 90% of them.
If hackers don’t know your username, they won’t spam your site trying to guess your password. This means less load on your server. I’ve been brought down once before by hackers DDoS’ing my login page. I don’t want to risk that again.
So how do we close this loophole? There are two ways to prevent WordPress from revealing your author name via the parameter hack.
Fix 1: Modifying .htaccess
This is my preferred technique because it’s much faster than the alternative. By creating a simple .htaccess rule, you can immediately block all attempts to access your WordPress username via the ?author parameter. If you have access to it, open the hidden “.htacces” file in the root directory of your WordPress installation, and paste in the following code at the end:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]
Here’s what the WordPress .htaccess looks with the above code added on:
https://www.rise.company/forum/images/imported/2020/11/21.jpg
Add Rewrite Rules
These rules check to see that you’re not in the admin area, and whether or not someone is attempting to access the “author” query parameter. If the conditions are met, it simply redirects back to the WordPress homepage. Problem solved!
After implementing this code in my .htaccess, the raw access log entry looks like this:
https://www.rise.company/upload/uploads/160540377499591.jpg
Redirecting to the Home Page Now
So even though someone has attempted to find out my username by typing “/?author=1”, the server smartly sends back the homepage of my blog. This is an extremely fast process, and hardly uses any server resources. So it’s the efficient and preferred way.
But what if you can’t make changes to .htaccess? Then the second method is the one for you.
Fix 2: Adding a Code Snippet to WordPress
The second method is to add a code snippet to WordPress that accomplishes the same. If you don’t know how, read my earlier
step by step tutorial on how to do this. Here is the code you need to paste into your custom plugin or functions.php:
function redirect_to_home_if_author_parameter() {
$is_author_set = get_query_var( 'author', '' );
if ( $is_author_set != '' && !is_admin()) {
wp_redirect( home_url(), 301 );
exit;
}
}
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );
Like the .htaccess code, this does exactly the same thing. It checks to see if you’re not in the admin area, and whether or not someone is trying to access the author name via the “?author” parameter. If so, it redirects back to the home page.
The difference is that this executes at the WordPress level, and is therefore slightly more inefficient than the first method. But if you don’t have access to .htaccess, it’s the only other way. Checking your access logs will reveal the exact same thing regardless of which method you choose.
So while some might deny that revealing usernames is a security threat, my principle is that the harder you make it for someone to snoop around your website, the better. And if you want to prevent brute force attacks, and to prevent hackers from finding your WordPress username, one of these two snippets of code will do the trick!
Fix 3: Use Cloudflare Page or Firewall Rules
A lot of websites use Cloudflare anyway, so this is an easy solution. Just add a new page rule or a firewall rule to exclude the problematic URL. You can either redirect the page to the home page, or block it altogether. The free version of Cloudflare comes with 3 free page rules and 3 free firewall rules that you’re probably not using anyway. So we might as well utilize them!
Method 2: Using WordPress JSON REST Endpoints
Visit the following URL on your WordPress site:
https://[yoursite]/wp-json/wp/v2/users/1
Replace [yoursite] with your site name. You should get something like this:
https://www.rise.company/upload/uploads/160540377517582.png
Get the Username via wp-json
That’s your WordPress username in plain sight! This is because WordPress exposes certain REST APIs
by default and this allows anyone to enumerate the users via JSON.
Fix: Disable via Code
Fortunately, we can just disable these endpoints via this simple code snippet:
function disable_rest_endpoints ( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
}
return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_rest_endpoints');
After you’ve saved your changes, users will be met with this message instead:
https://www.rise.company/upload/uploads/160540377524973.png
WordPress Rest Endpoint JSON Disabled
Blocking these two methods should make it hard for hackers to get a hold of your username!
ÇáãÑÌÚ:
https://www.wp-tweaks.com/hackers-can-find-your-wordpress-username/