Running a WordPress site means constantly staying vigilant against various security threats. One often overlooked, yet significant, threat is user enumeration attacks, which serve as a gateway for hackers to breach your site.

In this article, we’ll delve into effective strategies to detect and prevent user enumeration attacks. We’ll also explore the powerful security features offered by Shield Security PRO that can help protect your WordPress site against these threats.

What is user enumeration, and how can attackers use it?

User enumeration is a technique attackers use to discover usernames registered on your WordPress site. Once attackers have a list of valid usernames, they can move on to more aggressive attacks, such as brute force or dictionary attacks, to guess the passwords.

Cybercriminals exploit certain features in WordPress that can reveal valid usernames on the site, such as:

Author archives

WordPress automatically generates pages listing all posts by a specific author using the URL structure example.com/?author=1, example.com/?author=2, etc. By iterating through different numbers, attackers can identify valid usernames from the author pages that are displayed.

Error messages

When attempting to log in with an incorrect username, WordPress displays an error message stating “username is not registered”.

The WordPress login error message.

However, if the username is valid but the password is wrong, the error is different.

The WordPress login error message for when the username is correct but the password is incorrect.

By trying different usernames and observing the error messages, attackers can determine which ones are valid usernames on the site.

WordPress REST API endpoints

Since WordPress 4.7, the REST API is enabled by default, which can potentially expose user data like usernames through API endpoints like /wp-json/wp/v2/users/. Attackers can enumerate users by sending requests to these endpoints, if they’re left unrestricted.

Brute force attacks

Attackers may use brute force techniques by trying different username and password combinations systematically to identify valid user accounts.

A common variant of brute force attacks is the dictionary attack, where the cybercriminal uses a precompiled list of common passwords or passphrases, often obtained from previous data breaches, to expedite the process. This list is known as a “dictionary”.

Mitigating the risk of user enumeration attacks is necessary for maintaining a secure WordPress site. Simple steps like limiting login attempts, making error messages more generic, or implementing Two-Factor Authentication (2FA) can significantly enhance your user account security.

For now, let’s see how Shield Security PRO secures WordPress sites against user enumeration attacks.

Shield Security PRO tools to prevent user enumeration attacks

Shield Security PRO offers an extensive suite of tools to secure your site, ensuring that even if attackers identify valid usernames, they’ll not be able to do anything with it.

2FA tools and password policies

Strong password and login security are one of the most effective ways to prevent damage from user enumeration attacks. 2FA adds an extra layer of security by requiring users to verify their identities using a second method beyond just a username and password. This significantly reduces the chances of unauthorised access, even if an attacker has identified a valid username.

Shield Security PRO's 2FA settings.

Shield Security PRO’s 2FA tools offer flexible options, supporting various methods such as email, Google Authenticator, and Yubikey, making it easier for users to comply with enhanced security measures.

In addition to 2FA, Shield Security PRO enforces strong password policies like setting:

  • A minimum password strength that users must adhere to when setting or changing passwords.
  • Password expiration to force users to periodically update their passwords after a set number of days.
  • Blocking use of “pwned” passwords (i.e. preventing password re-use where a password has been exposed in a data breach)

This ensures that all users create and maintain strong passwords, reducing the likelihood of an attacker successfully guessing them.

Limit Login Attempts

Shield Security PRO’s login attempt limit feature.

Limiting login attempts is a powerful defence against brute force attacks, which are often used in conjunction with user enumeration to gain unauthorised access. Shield Security PRO’s login attempt limit feature uses its built-in silentCAPTCHA technology to block bots from logging-in, and then to completely block IP addresses after a certain number of failed login attempts.

This feature is highly customisable, allowing administrators to adjust the threshold based on their specific security needs. By setting appropriate limits, you can significantly reduce the risk of successful brute-force attacks.

silentCAPTCHA: Bad-Bot Blocking

Shield Security PRO’s bad-bot blocking settings.

Shield Security PRO’s bad-bot blocking feature identifies and blocks these malicious bots, protecting your site from automated attacks that enumerate users and performs brute-force logins.

Web-application firewall settings

Shield Security PRO's WAF settings.

A web-application firewall (WAF) is critical in preventing user enumeration attacks. Shield Security PRO’s WAF settings can be customised to provide optimal protection against a wide range of attacks, including user enumeration.

Using a WAF, you can block suspicious traffic and prevent the exploitation of vulnerabilities. It ensures that your site remains protected against known and emerging threats, providing peace of mind and comprehensive security.

There’s also an option with Shield’s Firewall to directly block user fishing/enumeration requests.

Additional methods for preventing WordPress user enumeration attacks

While ShieldPRO offers a rich set of tools to protect your WordPress site from user enumeration attacks, there are additional methods you can employ to further enhance your site’s security.

Adjusting WordPress settings to not display usernames in the URL

One common way attackers gather usernames is through the publicly displayed information on your WordPress site. By default, WordPress might display usernames in various locations, such as author archive pages as we discussed earlier. This can make your site vulnerable to user enumeration attacks.

To mitigate this risk, use plugins like Edit Author Slug or Stop User Enumeration to hide enumeration endpoints with a single click.

Adding rules to the .htaccess file

The .htaccess file is a configuration file used by Apache-based web servers. It allows you to set server directives and rules for your site.

Before making any changes, always create a backup of your current .htaccess file to avoid potential issues. Access your .htaccess file using an SFTP like FileZilla or your web host’s file manager and add the following lines to block author scans:

RewriteEngine On 
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

Explanation:

  • The RewriteEngine On directive enables the Apache mod_rewrite engine, allowing for URL rewriting and redirection.
  • RewriteCond %{QUERY_STRING} author=\d sets a condition for the rewrite rule. It checks if the query string contains “author=” followed by one or more digits.
  • RewriteRule ^ /? [L,R=301] specifies what to do if the condition is met. In this case, it redirects requests to the root directory / with a 301 (permanent) redirect status. 
  • The L flag signifies that this is the last rule to be processed, and the R=301 flag indicates the type of redirect.

Customising error messages to not disclose whether or not the username was correct

Specific error messages on your login page can provide clues to attackers about the validity of usernames. Customising these messages to be more generic can help prevent user enumeration.

In your child theme’s functions.php file, add the following code:

function no_wordpress_errors(){
  return 'Invalid login credentials.';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

This should be your result:

Changing the default WordPress error message to a custom one.

Secure your WordPress with Shield Security PRO

User enumeration can be a gateway to more severe attacks, putting your site’s security and reputation at risk. Thankfully, Shield Security PRO provides an all-around solution to this problem, offering a suite of tools specifically designed to protect your site.

Shield Security PRO alleviates worries about potential cyber threats, protects sensitive customer data, and simplifies security management. You will no longer have to stress over the possibility of unauthorised access or data breaches. With Shield Security PRO, you gain peace of mind knowing that your site is fortified against user enumeration attacks and other security threats.

Don’t wait until an attack happens – use Shield Security PRO and adopt a proactive approach to secure your WordPress site now!