WordPress Author Security
WordPress is one of the most frequently used content management systems and is used for millions of websites.
Further information can be found here: https://trends.builtwith.com/cms/WordPress
The vulnerabilities in WordPress and its plugins were fund and fixed, but what remains is the username enumeration. The easiest way to do this is via the author pages. These pages are used to display information about authors of articles or blog posts. But the problem that arises is that an attacker can find out valid usernames of the system. If he has the usernames he can try to get the password by brute force attacks or social engineering and logs into the application as the user. In addition, it can lead to data protection problems if all users of a company can be listed via WordPress.
WordPress offers two ways to enumerate users via the author pages:
1: About the Author ID
For this you only have to add another parameter (author) to the URL. If an author exists under the given ID, you will be redirected to the corresponding author page.
2: About the Permalink
For this method the username is written directly into the URL to get to the author page.
Common plugins only disable the first method. Also, many tutorials found on the Internet cover only the first method. The permalinks are mostly ignored. To avoid this, our colleague Alexander Elchlepp has developed a plugin for WordPress, which prevents both methods. You can find this plugin on Github at: https://github.com/mgm-sp/wp-author-security.
Are you unsure whether your WordPress instance is secure? Please feel free to contact us!
#1 – New Can I Trust Test Case – Browser returns secret out of pre-cached response in a CORS-Request
Update: Our WordPress Author Security Plugin is now available in the WordPress Plugin Store.
In our Big Application Security Penetration Test FAQ for clients we answer everything you should know before, during and after the commissioning of an Application Security Penetration Test.
In focus today: Questions #18 and #19 – How are vulnerabilities found evaluated? And what is the CVSS?
CSRF Countermeasures #2: Another way to protect against CSRF – stateless – is the Double Submit Cookie method.
The NinjaDVA is our comfortable and flexible training environment.