WordPress Author Security

WordPress is one of the most frequently used content management systems and is used for millions of websites.

Further information can be found here: https://trends.builtwith.com/cms/WordPress

The vulnerabilities in WordPress and its plugins were fund and fixed, but what remains is the username enumeration. The easiest way to do this is via the author pages. These pages are used to display information about authors of articles or blog posts. But the problem that arises is that an attacker can find out valid usernames of the system. If he has the usernames he can try to get the password by brute force attacks or social engineering and logs into the application as the user. In addition, it can lead to data protection problems if all users of a company can be listed via WordPress.

WordPress offers two ways to enumerate users via the author pages:

1: About the Author ID

For this you only have to add another parameter (author) to the URL. If an author exists under the given ID, you will be redirected to the corresponding author page.

https://yourdomain.com/?author=id

2: About the Permalink

For this method the username is written directly into the URL to get to the author page.

https://yourdomain.com/author/username

Common plugins only disable the first method. Also, many tutorials found on the Internet cover only the first method. The permalinks are mostly ignored.  To avoid this, our colleague Alexander Elchlepp has developed a plugin for WordPress, which prevents both methods. You can find this plugin on Github at: https://github.com/mgm-sp/wp-author-security.

Are you unsure whether your WordPress instance is secure? Please feel free to contact us!