• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
NameHero® Blog

NameHero® Blog

Web Hosting Tips & Resources From NameHero

  • Hosting
    • Web Hosting
    • VPS Hosting
    • WordPress Hosting
    • WooCommerce Hosting
  • Reseller
  • Enterprise
  • Domains
  • Account
  • Blog Home
  • Categories
  • Authors

Disallow REST API Username Enumeration in WordPress

Bhagwad Park

Published on: October 14, 2020

Categories: WordPress 0

WordPress allows programmatic access to its metadata. This means that 3rd party software can connect to it using APIs and not directly through the web interface. It’s useful, because it allows all kinds of cool functionality. For example, Jetpack uses either XMLRPC or REST APIs to obtain all kinds of information about your installation and take remote actions. Like everyone else, you should probably disable XMLRPC whenever you get the chance.

The REST API is yet another endpoint, which allows others to probe your website. One of these is username enumeration. Using a URL structure like this for example:

https://www.example.com/wp-json/wp/v2/users/5

Allows users to get information about the 5th user on WordPress.

The REST API Allows for Username Enumeration on WordPress
The REST API Allows for Username Enumeration on WordPress

You just need to change the number to get the rest of the users. On some of my WordPress installations, I can easily see hundreds of such requests per day. Cloudflare’s WAF doesn’t stop them, because they’re viewed as legitimate.

The WordPress Team Doesn’t Think it’s a Problem

It’s easy to understand why you might not want random people to be able to just extract not just the usernames, but also the full display names of everyone on your blog. After all, if all you require for site access is a username and password, knowing the username is like knowing half the key.

The classic “security” oriented answer to this problem is that it doesn’t matter if your username is exposed as long as you have a strong password. The reasoning is that no-one relies on ignorance of the username as a security measure. If your password is secure, that’s all that matters. However, this ignores a few additional variables.

First, like it or not, lots of people have insecure passwords. WordPress tries its best to force you to have complex passwords, but no doubt some keep them simple. For these individuals, keeping their username secret is undoubtedly helpful.

Second, knowledge of the username encourages further attacks against your login page. Without the username, a hacker won’t even bother trying to flood your page with XMLRPC attacks. Or try to repeatedly access your wp-login.php page. Either that, or they give up pretty soon when they find that your username doesn’t fit into a certain number of common names.

Keeping your username secure is just a good idea in general. And I don’t like the fact that WordPress allows its enumeration via the REST API. Here’s how I use Cloudflare Firewall rules to block them.

Using Cloudflare Firewall Rules to Block REST Username Enumeration

Under the “Firewall” section of Cloudflare’s dashboard, you can create a new rule with parameters like this:

Creating a Firewall Rule on Cloudflare to Block the REST API
Creating a Firewall Rule on Cloudflare to Block the REST API

Specify that the condition for the rule to trigger is that the full URL must match:

/wp-json/wp/v2/users/

And then choose “Block” as the action. Save your rule, give it a minute or so to take effect, and then try and access the REST API again to find out the username. Here’s what you should see:

Username Enumeration Disabled
Username Enumeration Disabled

Cloudflare now neatly blocks all username requests. The best part about this method is that it doesn’t stress your site. I prefer to offload as much processing power to Cloudflare as possible, so that my site can be left free to deal with important stuff – like serving pages to users! Of course, you can also achieve the same effect via .htaccess rules, or even with custom WordPress code that removes the REST API endpoints. But I prefer to keep things simple and let Cloudflare handle the job for me.

I suggest you do the same. Block XMLRPC, block the REST API, and hide your login page. After all, why give anyone information about your site to free? Let them earn it!

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Related Posts

How To Upload A PDF to WordPress (2023)

Learn how to upload a PDF to WordPress in just a few clicks and what are the pros and cons of uploading a PDF directly to WordPress.

New Table Of Contents Block In WordPress Gutenberg

The new Gutenberg Table of Contents (TOC) block is very easy to use and perfectly functional. But it could improve in a couple of ways.

3 Best WordPress Accordion Plugins

Don't get overwhelmed - we've got three of the best options for WordPress accordion plugins based on our hands-on experience.

Using WordPress Gutenberg With Only Keyboard Shortcuts

The inbuilt WordPress shortcuts for Gutenberg are useful, but extremely clumsy for non-editing purposes. I suggest you use Vimium instead.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Follow & Subscribe

Exclusive promos, content and more!

Most Popular Posts

NameHero’s Recommended WordPress Plugin and Theme Setup (2023)

WordPress Hosting vs. Web Hosting – What’s The Difference?

How To Increase The InnoDB Buffer Pool Size

How To Fix A Stuck All-in-One WP Migration Import

How To Add A Subdomain In Cloudflare

Top Categories

  • WordPress
  • WordPress Tutorials
  • Enterprise Hosting
  • WooCommerce
  • Web Hosting
  • Resellers
  • Website Security
  • Website Development
  • Website Performance
  • VPS Hosting
  • SEO Tips
  • Announcements
  • Domain Registration
NameHero

NameHero® proudly provides web hosting to over 40,000 customers with 99.9% uptime to over 750,000 websites.

  • Master Card
  • Visa
  • American Express
  • Discover
  • Paypal
Products
  • Web Hosting
  • VPS Hosting
  • WordPress Hosting
  • WooCommerce Hosting
  • Reseller Hosting
  • Enterprise Hosting
  • Domains
Help & Support
  • NameHero Blog
  • Support
  • Help Center
  • Migrations
  • Affiliates
  • Call 1-855-984-6263
Company
  • About Us
  • Contact Sales
  • Reviews
  • Uptime
  • We're Hiring

Copyright © 2023 Name Hero, LLC. All rights reserved.
NameHero® is a registered trademark.

  • Privacy Policy
  • Terms of Use
  • Acceptable Use Policy
  • Payment Policy
  • DMCA