WordPress allows programmatic access to its metadata. This means that 3rd party software can connect to it using APIs and not directly through the web interface. It’s useful, because it allows all kinds of cool functionality. For example, Jetpack uses either XMLRPC or REST APIs to obtain all kinds of information about your installation and take remote actions. Like everyone else, you should probably disable XMLRPC whenever you get the chance.
The REST API is yet another endpoint, which allows others to probe your website. One of these is username enumeration. Using a URL structure like this for example:
Allows users to get information about the 5th user on WordPress.
You just need to change the number to get the rest of the users. On some of my WordPress installations, I can easily see hundreds of such requests per day. Cloudflare’s WAF doesn’t stop them, because they’re viewed as legitimate.
The WordPress Team Doesn’t Think it’s a Problem
It’s easy to understand why you might not want random people to be able to just extract not just the usernames, but also the full display names of everyone on your blog. After all, if all you require for site access is a username and password, knowing the username is like knowing half the key.
The classic “security” oriented answer to this problem is that it doesn’t matter if your username is exposed as long as you have a strong password. The reasoning is that no-one relies on ignorance of the username as a security measure. If your password is secure, that’s all that matters. However, this ignores a few additional variables.
First, like it or not, lots of people have insecure passwords. WordPress tries its best to force you to have complex passwords, but no doubt some keep them simple. For these individuals, keeping their username secret is undoubtedly helpful.
Second, knowledge of the username encourages further attacks against your login page. Without the username, a hacker won’t even bother trying to flood your page with XMLRPC attacks. Or try to repeatedly access your wp-login.php page. Either that, or they give up pretty soon when they find that your username doesn’t fit into a certain number of common names.
Keeping your username secure is just a good idea in general. And I don’t like the fact that WordPress allows its enumeration via the REST API. Here’s how I use Cloudflare Firewall rules to block them.
Using Cloudflare Firewall Rules to Block REST Username Enumeration
Under the “Firewall” section of Cloudflare’s dashboard, you can create a new rule with parameters like this:
Specify that the condition for the rule to trigger is that the full URL must match:
And then choose “Block” as the action. Save your rule, give it a minute or so to take effect, and then try and access the REST API again to find out the username. Here’s what you should see:
Cloudflare now neatly blocks all username requests. The best part about this method is that it doesn’t stress your site. I prefer to offload as much processing power to Cloudflare as possible, so that my site can be left free to deal with important stuff – like serving pages to users! Of course, you can also achieve the same effect via .htaccess rules, or even with custom WordPress code that removes the REST API endpoints. But I prefer to keep things simple and let Cloudflare handle the job for me.
I suggest you do the same. Block XMLRPC, block the REST API, and hide your login page. After all, why give anyone information about your site to free? Let them earn it!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply