WordPress User Enumeration Attack in Focus

If you’re a WordPress user, then this following article is a must for you. However, if you are interested in website vulnerabilities and how they can be attacked, and you wish to upgrade your knowledge about them, you’ve also come to the perfect place as well. In this article, we’ll be talking about the user enumeration attack method, and how you can protect against it if you’re a WordPress user.

Attack type

A hacker can use user enumeration to get access to a specific application or website by getting the credentials—in the first instance, the usernames—through an attack. If the attacker gets these usernames they will be one step closer to hacking into and reaching the users’ accounts.

How it works in action

To exploit this vulnerability, the attacker needs to attack in two phases:

First phase: The attacker uses a flaw in the system. For example, whenever you wish to log in to a website with incorrect credentials, the system might give you the following error message: ‘invalid username’. In this case, the bad guy needs to try until the response of the system is ‘invalid password’. In this case, the conclusion is that the username is valid and only the password is missing.

In many WordPress installations, it is possible to reach the usernames through the author archives. To access them, we just need to add ‘author=n’ as a parameter to the WordPress home page. Let’s see some examples:


After this process comes the second phase of the attack:

Second phase: When the bad guy has collected as many login names as possible there are no more steps to take. He only needs to hack into these accounts with a brute force attack. This could be a critical point, especially when an account has a weak password which can be hacked easily. We’ve already mentioned the importance of a strong password in some of our previous blog articles:

This topic was also mentioned in our latest Security Meetup.

Vulnerable surfaces

An attacker can take advantage of this form of attack on several interfaces. Naturally, the most common one is the login surface. This can be attacked by the bad guys in an above-mentioned way.

The second major interface is the ‘forgotten password’ site. In this case, the attacker checks for the following system response: ‘username does not exist’. The hacker can attack again and again until he/she gets a response similar to ‘An email has been sent to the address on record.’ When this response is generated, that means that the username does exist and it can be attacked with a brute force attack.

The third interface is the registration site. Here the attacker needs to search for the following response: ‘the username is already in use’. This means that the username is registered, and as previously mentioned, it ‘only’ needs a brute force attack.

There’s a more advanced case in which the server’s response time is noted. In some cases, the server responds within seconds when the username is valid, but on average it takes longer to respond when the request involves a non-existent username. This method can be also valuable for the attackers.

How does BitNinja protect your server against this vulnerability?

BitNinja can defend your Apache webservers and the domains on it against WordPress user enumeration attacks perfectly. For this, of its nine modules, the SenseLog module’s ApacheWpEnumeration rule is responsible. The module analyzes the logs and if it finds the specific pattern for this attack request, it warns our system about the activity and moves the affected IP to the BitNinja greylist.

Here are some logs showing the detected and stopped attack requests:

I hope you found this article useful and interesting. Leave a comment below and share your thoughts about this topic, or if you have any questions, send us a message to info@bitninja.io. Our support ninjas are always happy to guide you. 😉