Security

Disable user discovery in WordPress

BY WPreveal Editorial
Last edited:
 November 3, 2023
Reading time:
 7 mins

/

Blog

/

Security

/

Disable user discovery in...

đź’ˇWe may earn a commision if you subscribe to a service from a link on this page.

One aspect of WordPress security that is often overlooked is user discovery. We all agree that WordPress is a powerful and versatile platform, but with great power comes the need for diligent security measures. User discovery refers to the ability for anyone to find out information about registered users on a WordPress site.

While some level of user discovery can be useful, especially in a community-driven website, it can also pose a security risk if not managed properly. In this comprehensive guide, we will explore what user discovery is, why it should be hidden or restricted, and various ways to implement and mitigate it. We will also provide code snippets and step-by-step instructions for adding these security measures to your WordPress site.

What is User Discovery?

User discovery in WordPress is the ability for anyone, including potential attackers, to retrieve information about registered users on a website. By default, WordPress provides several ways to discover users:

  1. Author Archives: When you create a new post, WordPress automatically generates an author archive page that displays all the posts written by a specific author. This can reveal usernames and potentially other information about the author.
  2. User Enumeration via REST API: Attackers can query the /wp-json/wp/v2/users endpoint, which lists all the users on the site. This endpoint typically provides user IDs, usernames, and other user information. To illustrate, an attacker can use a URL like: https://yoursite.com/wp-json/wp/v2/users. This will return a JSON response with user data, which may include usernames and other user details.
  3. Comment Author Pages: Comment authors on your site also have their own author archive pages, which can be accessed and may contain personal information or even links to their own websites.
  4. User Enumeration: Attackers can employ techniques to enumerate usernames on a WordPress site by trying different usernames until they find valid ones.
  5. Public Author URLs: WordPress assigns a public URL structure for author pages, typically using the “author” parameter in the URL, which makes it relatively easy for anyone to guess author URLs.

Why User Discovery Should Be Hidden

User discovery should be hidden or restricted for several reasons:

  1. Privacy: Usernames and personal information of registered users should not be readily accessible to the public. This is crucial to protect the privacy of your users and prevent potential misuse of their information.
  2. Security: User enumeration can be exploited by malicious actors to launch targeted attacks, such as brute force attacks. By hiding user information, you reduce the attack surface and make it harder for attackers to identify valid usernames.
  3. Preventing Spam: Reducing user discovery can also help prevent spam on your site, as spammers often target user profiles and comment sections.

Ways User Discovery Can Be Implemented

Here are ways user discovery can be implemented, along with code snippets to demonstrate these methods:

1. User Enumeration via Author Archives: User enumeration can occur when an attacker attempts to access author archive pages to discover valid usernames. To implement user discovery through author archives, an attacker might use the following URL structure: https://yoursite.com/author/{username}. To mitigate this, you can restrict access to author archives, as mentioned earlier. However, to discover users, you can access author archives by appending different usernames.

2. Comment Author URLs: Comments left by registered users often include links to their websites or social media profiles. While not direct user discovery, this information can be used to identify and potentially discover more about users. You can access these URLs by inspecting comments on your site.

3. User Enumeration via REST API: The WordPress REST API can be used for user enumeration by querying endpoints such as /wp-json/wp/v2/users. To discover users using the REST API, attackers may use scripts to enumerate usernames and other user details.

Here is an example code snippet that demonstrates user enumeration via the REST API:

// Enumerate users via REST API
function enumerate_users_via_rest_api() {
$users = file_get_contents('https://yoursite.com/wp-json/wp/v2/users');
return $users;
}

4. User Enumeration via Login Page: Attackers can also attempt to enumerate users by trying various usernames on the WordPress login page. While WordPress typically doesn’t provide specific feedback for failed login attempts, attackers may still gather information about valid usernames.

To discover users via the login page, an attacker might use a script that repeatedly sends POST requests with different usernames to the login endpoint (/wp-login.php).

5. User Enumeration through Public Usernames: In some cases, user information may be publicly available, especially on community or membership-based websites. User profiles or author biographies can reveal usernames and additional details about users.

To “achieve” user discovery, attackers can explore user profiles, author bios, and other publicly accessible user-generated content.

It’s important to note that user enumeration and discovery for malicious purposes are not ethical and may violate privacy and security policies. Therefore, as a website owner, it’s essential to take appropriate measures to protect user information and ensure that your site is not vulnerable to these methods. Consider implementing the mitigation techniques and security measures discussed in previous sections to safeguard your users and maintain the privacy and security of your WordPress site.

How User Discovery Can Be Mitigated

Now, let’s explore how to mitigate user discovery in WordPress by implementing these methods with code snippets and step-by-step instructions:

  1. Disable REST API user discovery:

First and foremost comes the REST API of WordPress. The REST API is a common source of user discovery, and you can secure it by adding a small code snippet in your child theme’s function.php file. This code prevents non-administrators from accessing user-related REST API endpoints:

// Secure user scanning in REST API
add_filter('rest_endpoints', function ($endpoints) {
    if (!current_user_can('administrator')) {
        if (isset($endpoints['/wp/v2/users'])) {
            unset($endpoints['/wp/v2/users']);
        }
        if (isset($endpoints['/wp/v2/users/(?P[\d]+)'])) {
            unset($endpoints['/wp/v2/users/(?P[\d]+)']);
        }
    }
    return $endpoints;
});

This code will redirect any author archive page to a 404 error page, effectively disabling author archives.

  1. Disable, customize or redirect Author Archives:

To disable author archives, add the following code to your child theme’s functions.php file:

//disable author archives completely
function disable_author_archives() {
if (is_author()) {
global $wp_query;
$wp_query->set_404();
status_header(404);
}
}
add_action('template_redirect', 'disable_author_archives');

//customize authors URL
function custom_author_base() {
global $wp_rewrite;
$wp_rewrite->author_base = 'your-custom-base';
}
add_action('init', 'custom_author_base');

//redirect author archives
function redirect_author_archive() {
if (is_author()) {
wp_redirect(home_url(), 301);
exit;
}
}
add_action('template_redirect', 'redirect_author_archive');

This code will redirect any author archive page to a 404 error page, effectively disabling author archives.

  1. Restrict Comment Author URLs:

To restrict comment author URLs, you can utilize the following code:

function restrict_comment_author_url($url) {
if (is_user_logged_in()) {
return $url;
}
return home_url();
}
add_filter('get_comment_author_url', 'restrict_comment_author_url');

This code limits comment author URLs to only be displayed for logged-in users, while others will see a link to the site’s homepage.

  1. .htaccess snippet:

You can further strengthen your user discovery restrictions by adding rules to your .htaccess file. Here are some useful snippets for your .htaccess file:

# Prevent author enumeration

    RewriteEngine On
    RewriteBase /
    RewriteCond %{QUERY_STRING} author=d
    RewriteRule ^ /? [L,R=301]

Mitigate user discovery in WordPress

User discovery in WordPress is a critical aspect of website security and user privacy. By taking measures to hide or restrict user information, you can protect your users and enhance your site’s security. It’s essential to carefully implement these measures, and the provided code snippets and instructions can help you achieve that. Remember that while these techniques mitigate user discovery, maintaining other security practices, such as strong passwords and regular updates, is equally important to safeguard your WordPress site.

🚀 Suggested Reading: You did a good job disabling user discovery for the REST API, the author archives and through .htaccess also. Combine what you learned in this article with our guide for disabling default login hints in WordPress login page to completely hide the correct usernames from the fail messages and further secure your website.
WPReveal

Leave a Reply

Your email address will not be published. Required fields are marked *