Are you worried that hackers are attempting to discover usernames on your WordPress site in order to hack it?
Probably not your first instinct, right?
But here’s a reality check: Probing your site to find usernames is quite a common tactic used by hackers.
Once hackers find a valid username, they only need to guess the password to gain access to your site. Hackers will then use what is called a ‘Brute Force Attack’ to guess the right password to your WordPress dashboard.
Next, they take full control of your website and wreak havoc. Hackers steal data, redirect visitors, and spam customers, among a long list of other malicious activities.
But don’t worry because you can prevent hackers from discovering usernames by taking measures against the user enumeration vulnerability.
In this guide, you will learn what user enumeration is and how to prevent it from being exploited by hackers.
TL;DR: User enumeration can increase the chances of a successful brute force attack on your WordPress site. To prevent this, you can install the MalCare Security Plugin. It will detect and automatically block brute force attempts on your site.
What is User Enumeration?
Username enumeration is the process through which hackers can find users of a WordPress website. They scan the website and collect user information (like name, email ID) which they use to try and log into the site.
Note: By user, we don’t mean a visitor or a customer. We mean users who have access to your WordPress admin panel.
Why is this a problem? Hackers use a technique called brute force attacks wherein they attempt to guess your username and password. They program bots to enter thousands of combinations of usernames and passwords in a few seconds.
But if they knew your username, it means they are only one step away from gaining access to your site.
This is where user enumeration comes in. Hackers try to figure out the username by looking at author names and email addresses on your website.
There are different ways in which hackers can find usernames on your site. It’s important to understand the methods hackers use in order to implement measures against user enumeration.
Types Of User Enumeration
Usernames are stored in the database of your WordPress site. However, hackers don’t necessarily have to access your database to find out this information.
We detail two main techniques hackers use to enumerate users on WordPress sites:
1. Using Author Archives
Every user on your WordPress site has a unique ID allotted to them. This ID is used by WordPress to reference the corresponding user account in the database.
Next, as your website’s users create pages and posts, WordPress stores this data in an author archive.
The author archive basically categorizes pages and posts according to who created it.
Hackers can run scripts on your site to load the author archive which may reveal user IDs. Next, they run more scripts to find out the username linked to the user ID.
2. Using The Login Form
When you enter an invalid username on the WordPress login page, it displays this prompt:
Whereas, if you enter a valid username and an incorrect password, WordPress displays this prompt:
This indicates that the username ‘[email protected]’ is a valid username and only the password is incorrect.
Hackers use tools such as Burp Intruder to load a list of possible usernames to find a valid one by examining this response from WordPress.
Using these methods, hackers can discover your username and this brings them closer to hacking your website. You can implement security measures to ensure this doesn’t happen.
Preventing Possible Attempt To Enumerate Users
You can stop user enumeration either by using a plugin or by manually inserting a snippet of code into your WordPress files. We do not recommend the manual method because it’s extremely risky. The slightest misstep can break your website. However, we will detail the steps for both.
1. Install The Stop User Enumeration Plugin
This is the easiest and most efficient way to stop user enumeration on your WordPress site. You can install this Stop User Enumeration Plugin on your site from the WordPress repository.
As the name suggests, the plugin is designed to prevent hackers from scanning your site for usernames.
It also has a nifty feature of logging IP addresses that are attempting to enumerate your users. An IP address is a unique code allotted to a device that is connected to the internet. WordPress Firewall plugins like MalCare are designed to detect IP addresses that carry out malicious activities and block them from accessing your site.
If you have a firewall installed on your site, you can cross-verify the IP address log provided by the Stop User Enumeration plugin against the ones your firewall is blocking. In case it isn’t blocking it, most firewalls allow you to manually enter the IP address and blacklist it. The firewall will then automatically prevent the IP address from accessing your site ever again.
2. Manually Inserting Code To Stop User Enumeration
NOTE: Remember, we DO NOT RECOMMEND using this method. In case you want to proceed, we advise you to take a backup of your WordPress site. If anything goes wrong, you can restore your website back to normal.
Step 1: Log in to your hosting account, go to cPanel > File Manager. (You can also access your files using an FTP like FileZilla.)
Step 2: Open the public_html folder, go to wp-content and access your theme’s folder. Remember to choose the theme that is active on your site.
Step 3: Here, you can find your theme’s function.php file. Right-click and edit this file.
Step 4: Insert the following code:
/**
* Block User Enumeration
*/
function kl_block_user_enumeration_attempts() {
if ( is_admin() ) return;
$author_by_id = ( isset( $_REQUEST['author'] ) && is_numeric( $_REQUEST['author'] ) );
if ( $author_by_id )
wp_die( 'Author archives have been disabled.' );
}
add_action( 'template_redirect', 'kl_block_user_enumeration_attempts' );
Save changes and close the file. User enumeration should be blocked on your website.
With that, we come to an end on protecting your website against user enumeration. We also strongly recommend using a username that is not readily available on your site. For example, if you have team members and blog author names displayed on your site, it would be wise to keep an admin name that is different.
Final Thoughts
By blocking user enumeration in WordPress site, you reduce the chances of brute force attacks. Hackers usually target sites that are easy to hack. Their bots will make a few unsuccessful attempts and move on from your site.
However, brute force attacks are only one of the security threats from which you need to protect your WordPress site from hackers.
We strongly recommend activating a security plugin that will scan your site regularly to ensure it is clean and malware-free. It will also proactively block hackers from accessing your website.
You can operate your site with peace of mind knowing your website is secured.
Protect Your WordPress Site With MalCare!