• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
NameHero Blog

NameHero Blog

Web Hosting Tips & Resources From NameHero

  • Hosting
    • Web Hosting
    • VPS Hosting
    • WordPress Hosting
    • WooCommerce Hosting
  • Reseller
  • Enterprise
  • Domains
  • Account
  • Blog Home
  • Categories

Disallow REST API Username Enumeration in WordPress

Bhagwad Park

Published on: October 14, 2020

Categories: WordPress 0

WordPress allows programmatic access to its metadata. This means that 3rd party software can connect to it using APIs and not directly through the web interface. It’s useful, because it allows all kinds of cool functionality. For example, Jetpack uses either XMLRPC or REST APIs to obtain all kinds of information about your installation and take remote actions. Like everyone else, you should probably disable XMLRPC whenever you get the chance.

The REST API is yet another endpoint, which allows others to probe your website. One of these is username enumeration. Using a URL structure like this for example:

https://www.example.com/wp-json/wp/v2/users/5

Allows users to get information about the 5th user on WordPress.

The REST API Allows for Username Enumeration on WordPress
The REST API Allows for Username Enumeration on WordPress

You just need to change the number to get the rest of the users. On some of my WordPress installations, I can easily see hundreds of such requests per day. Cloudflare’s WAF doesn’t stop them, because they’re viewed as legitimate.

The WordPress Team Doesn’t Think it’s a Problem

It’s easy to understand why you might not want random people to be able to just extract not just the usernames, but also the full display names of everyone on your blog. After all, if all you require for site access is a username and password, knowing the username is like knowing half the key.

The classic “security” oriented answer to this problem is that it doesn’t matter if your username is exposed as long as you have a strong password. The reasoning is that no-one relies on ignorance of the username as a security measure. If your password is secure, that’s all that matters. However, this ignores a few additional variables.

First, like it or not, lots of people have insecure passwords. WordPress tries its best to force you to have complex passwords, but no doubt some keep them simple. For these individuals, keeping their username secret is undoubtedly helpful.

Second, knowledge of the username encourages further attacks against your login page. Without the username, a hacker won’t even bother trying to flood your page with XMLRPC attacks. Or try to repeatedly access your wp-login.php page. Either that, or they give up pretty soon when they find that your username doesn’t fit into a certain number of common names.

Keeping your username secure is just a good idea in general. And I don’t like the fact that WordPress allows its enumeration via the REST API. Here’s how I use Cloudflare Firewall rules to block them.

Using Cloudflare Firewall Rules to Block REST Username Enumeration

Under the “Firewall” section of Cloudflare’s dashboard, you can create a new rule with parameters like this:

Creating a Firewall Rule on Cloudflare to Block the REST API
Creating a Firewall Rule on Cloudflare to Block the REST API

Specify that the condition for the rule to trigger is that the full URL must match:

/wp-json/wp/v2/users/

And then choose “Block” as the action. Save your rule, give it a minute or so to take effect, and then try and access the REST API again to find out the username. Here’s what you should see:

Username Enumeration Disabled
Username Enumeration Disabled

Cloudflare now neatly blocks all username requests. The best part about this method is that it doesn’t stress your site. I prefer to offload as much processing power to Cloudflare as possible, so that my site can be left free to deal with important stuff – like serving pages to users! Of course, you can also achieve the same effect via .htaccess rules, or even with custom WordPress code that removes the REST API endpoints. But I prefer to keep things simple and let Cloudflare handle the job for me.

I suggest you do the same. Block XMLRPC, block the REST API, and hide your login page. After all, why give anyone information about your site to free? Let them earn it!

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Follow & Subscribe

Exclusive promos, content and more!

Most Popular Posts

Speed up your site: solving the WordPress slowdown

NameHero’s Recommended WordPress Plugin and Theme Setup (2023)

How To Increase The InnoDB Buffer Pool Size

How To Fix A Stuck All-in-One WP Migration Import

How To Add A Subdomain In Cloudflare

Top Categories

  • WordPress
  • Website Performance
  • Web Hosting
  • Resellers
  • Website Development
  • Website Security
  • VPS Hosting
  • SEO Tips
  • Announcements
  • Domain Registration
NameHero

NameHero proudly provides web hosting to over 40,000 customers with 99.9% uptime to over 750,000 websites.

  • Master Card
  • Visa
  • American Express
  • Discover
  • Paypal
Products
  • Web Hosting
  • VPS Hosting
  • WordPress Hosting
  • WooCommerce Hosting
  • Reseller Hosting
  • Enterprise Hosting
  • Domains
Help & Support
  • NameHero Blog
  • Knowledgebase
  • Announcements
  • Affiliates
Company
  • About Us
  • Contact Sales
  • Reviews
  • Uptime
  • We're Hiring

Copyright © 2023 NameHero, LLC. All rights reserved.

  • Privacy Policy
  • Terms of Use
  • Acceptable Use Policy
  • Payment Policy
  • DMCA