WordPress User Enumeration Attack in Focus
Valentin Balint

WordPress User Enumeration Attack in Focus

If you’re a WordPress user, then this following article is a must for you. However, if you are interested in website vulnerabilities and how they can be attacked, and you wish to upgrade your knowledge about them, you’ve also come to the perfect place as well. In this article, we’ll be talking about the user enumeration attack method, and how you can protect against it if you’re a WordPress user.

Attack type

A hacker can use user enumeration to get access to a specific application or website by getting the credentials—in the first instance, the usernames—through an attack. If the attacker gets these usernames they will be one step closer to hacking into and reaching the users’ accounts.

How it works in action

To exploit this vulnerability, the attacker needs to attack in two phases:

First phase: The attacker uses a flaw in the system. For example, whenever you wish to log in to a website with incorrect credentials, the system might give you the following error message: ‘invalid username’. In this case, the bad guy needs to try until the response of the system is ‘invalid password’. In this case, the conclusion is that the username is valid and only the password is missing.

In many WordPress installations, it is possible to reach the usernames through the author archives. To access them, we just need to add ‘author=n’ as a parameter to the WordPress home page. Let’s see some examples:

www.example.com/?author=1
www.example.com/?author=2
www.example.com/?author=3
www.example.com/?author=4

After this process comes the second phase of the attack:

Second phase: When the bad guy has collected as many login names as possible there are no more steps to take. He only needs to hack into these accounts with a brute force attack. This could be a critical point, especially when an account has a weak password which can be hacked easily. We’ve already mentioned the importance of a strong password in some of our previous blog articles:

This topic was also mentioned in our latest Security Meetup.

Vulnerable surfaces

An attacker can take advantage of this form of attack on several interfaces. Naturally, the most common one is the login surface. This can be attacked by the bad guys in an above-mentioned way.

The second major interface is the ‘forgotten password’ site. In this case, the attacker checks for the following system response: ‘username does not exist’. The hacker can attack again and again until he/she gets a response similar to ‘An email has been sent to the address on record.’ When this response is generated, that means that the username does exist and it can be attacked with a brute force attack.

The third interface is the registration site. Here the attacker needs to search for the following response: ‘the username is already in use’. This means that the username is registered, and as previously mentioned, it ‘only’ needs a brute force attack.

There’s a more advanced case in which the server’s response time is noted. In some cases, the server responds within seconds when the username is valid, but on average it takes longer to respond when the request involves a non-existent username. This method can be also valuable for the attackers.

How does BitNinja protect your server against this vulnerability?

BitNinja can defend your Apache webservers and the domains on it against WordPress user enumeration attacks perfectly. For this, of its nine modules, the SenseLog module's ApacheWpEnumeration rule is responsible. The module analyzes the logs and if it finds the specific pattern for this attack request, it warns our system about the activity and moves the affected IP to the BitNinja greylist.

Here are some logs showing the detected and stopped attack requests:

I hope you found this article useful and interesting. Leave a comment below and share your thoughts about this topic, or if you have any questions, send us a message to info@bitninja.io. Our support ninjas are always happy to guide you. ;)

Share your ideas with us about this article

Previous posts

Bitninja for Plesk - New extension for Plesk users
We are happy to announce the release of our brand-new BitNinja Plesk extension. From now on, Plesk customers can get all the advantages and secure their Linux servers much easier from their Plesk panel. The BitNinja Plesk Extension gives you real-time protection against a wide range of threats without the need of any configuration and long hours of work. Scheduled reports, automatic false positive handling and threat analysis for more in-depth review are the cherry on top for analytical minds. Within the BitNinja Extension, it's getting more comfortable for Plesk users to in...
Became More Secure Than Other Hosting Companies: Case Study with FastComet
FastComet is one the trendiest web hosting companies these days. They have more than 45,000 customers from 83 countries, over nine years of experience in system administration, and they’ve been providing public cloud hosting services since 2013. FastComet has a very high rating on HostAdvice, thanks to their high reliability, excellent 24/7 support, affordable pricing, easy usability, and fantastic features. FastComet joined our Ninja Community in 2017 and we are delighted that since then they’ve become one of our biggest partners. Now, it’s time to share the story about how BitNinja brough...