How To: Enumerate WordPress Users(and how to fix it)

  • by Amando Abreu
  • on 18 February 2019

A common attack vector for WordPress is to enumerate users and see what juicy data you can get.

This is easily done because if you browse to /?author=1, WordPress will kindly redirect you to /author/name/ and literally hand over the information you want

for i in {1..5}; do curl -s -L -i http://www.wordpress-site.com/?author=$i | grep -E -o "" title="View all posts by [a-z0-9A-Z-.]|Location:." | sed 's/// /g' | cut -f 6 -d ' ' | grep -v "^$"; done

The fix

Place this code in your functions.php file.

if (!is_admin()) {
    // default URL format
    if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
    add_filter('redirect_canonical', 'shapeSpace_check_enum', 10, 2);
}
function shapeSpace_check_enum($redirect, $request) {
   // permalink URL format
   if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();
      else return $redirect;
}

About the author

Amando Abreu tech enthusiast

Get the freshest stuff before anyone else:

If you're not ready for a newsletter, follow me on twitter to get to know me better first:
* indicates required