Are you concerned that on your WordPress account, hackers are trying to locate usernames in order to hack it?
Not your first impulse, perhaps, right?
But here’s a reality check: It is quite a common technique used by hackers to search the site to find usernames.
Once a correct username is discovered by hackers, they only need to guess the password to obtain access to the site. Hackers would then use what is considered a ‘Brute Force Attack’ to guess the WordPress dashboard’s correct password.
Next, they take absolute charge and wreak havoc on the website. Among a long list of other malicious practices, hackers steal records, divert visitors, and spam customers.
But don’t fear, because by taking action against the user enumeration flaw, you can keep hackers from finding usernames.
You can read in this tutorial what user enumeration is and how to keep hackers from exploiting it.
TL;DR
The odds of a successful brute force attack on your WordPress platform can be improved by user enumeration. The MalCare Protection Plugin can be installed to avoid this. On your web, it will detect and automatically block brute force attempts.
What is User Enumeration?
The method by which hackers can find users of a WordPress website is username enumeration. They search the website and gather user information that they use to try to log into the site (such as name, email ID).
Note: By person, we do not say a client or a tourist. We say users who have access to the admin panel for WordPress.
Why is this an issue? Hackers use a brute force attack strategy in which they aim to guess the username and password. Bots are designed to enter thousands of username and password combinations in a couple of seconds.
But if your username is identified, it means they’re only one step away from getting access to your site.
This is where the enumeration of users comes in. By looking at author names and email addresses on your website, hackers aim to find out the username.
There are numerous ways in which usernames can be identified by hackers on your site. In order to enforce steps against user enumeration, it is necessary to consider the techniques hackers use.
Types Of User Enumeration
Usernames are saved in the WordPress site’s folder. However, to uncover this knowledge, hackers do not actually have to access the servers.
To enumerate users on WordPress pages, we detail two key strategies used by hackers:
Using Author Archives
Per user has a specific ID assigned to them on your WordPress site. WordPress can use this ID to reference the relevant user account in the database.
Next, WordPress saves this information in an author folder while the website’s visitors create pages and updates.
Basically, the author’s folder categorizes sites and articles as to who created them.
In order to load the author archive that can expose user IDs, hackers will run scripts on your site. First, to figure out the username connected to the user ID, they run more scripts.
Using The Login Form
When you enter an invalid username on the login page for WordPress, this prompt will display:
Whereas, if you enter a valid username and an incorrect password, WordPress displays this prompt:
Preventing Possible Attempt To Enumerate Users
Either by using a plugin or manually injecting a fragment of code into your WordPress scripts, you will interrupt user enumeration. Since it is highly dangerous, we do not recommend the manual form. It will ruin your website with the slightest error. We will explain the measures for both, though.
Install The Stop User Enumeration Plugin
This is the fastest and most powerful way to avoid the WordPress platform from enumerating users. This Avoid User Enumeration Plugin can be built on your site from the WordPress repository.
The plugin is, as the name implies, intended to prevent hackers from searching for usernames on your site.
It also has a nifty IP address logging functionality that attempts to enumerate the users. A special code assigned to a computer that is wired to the internet is an IP address. WordPress Firewall plugins such as MalCare are built to identify and prevent connections to the site from IP addresses that execute malicious activities.
You should cross-check the IP address log provided by the Stop User Enumeration plugin against the ones your firewall is blocking if you have a firewall built on your web. In the event that it is not disabled, most firewalls allow you to manually access and blacklist the IP address. The firewall would then block the IP address from ever entering your site again automatically.
Manually Inserting Code To Stop User Enumeration
NOTE: Remember, using this form, we DO NOT Suggest. We urge you to make a copy of your WordPress account in case you wish to continue. You will return your website back to normal if something goes wrong.
Phase 1: Go to cPanel > File Manager and log in to your hosting account. (You can use an FTP or FileZilla to access the files as well.)
Phase 2: Open the folder public html, go to wp-content and enter the folder of your style. Do not forget to pick the theme that is active on your blog.
Phase 3: Here, you can find the function.php file for your theme. Right-click this file and edit it.
Phase 4: Insert the code that follows:
/**
* Block User Enumeration
*/
function kl_block_user_enumeration_attempts() {
if ( is_admin() ) return;
$author_by_id = ( isset( $_REQUEST['author'] ) && is_numeric( $_REQUEST['author'] ) );
if ( $author_by_id )
wp_die( 'Author archives have been disabled.' );
}
add_action( 'template_redirect', 'kl_block_user_enumeration_attempts' );Save the alterations and lock the file. On your website, the user enumeration should be blocked.
With that, we are ending the security of your website from enumeration of users. We also highly recommend that you use a username which is not immediately accessible on your account. For starters, it would be smart to keep an admin name that is different if you have team members and blog author names displayed on your site.
Ultimate Thoughts
By blocking WordPress website user enumeration, you reduce the probability of attacks by brute force. Typically, hackers attack sites that are easy to hack. Their bots are going to make a few futile attempts and move away from your platform.
Brute-force attacks, though, are just one of the security vulnerabilities you need to defend your WordPress account from hackers.
To ensure it is safe and malware-free, we highly suggest triggering a security plugin that will search the site daily. It would also block hackers from entering the website proactively.
With peace of mind, you can run your platform ensuring your website is safe.