• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Startup Hero

The Official Blog Of Name Hero

Learn To Fly Above The Competition Get Started
  • HomeWelcome
  • CoursesVideo Training Center
  • About UsWhat is StartupHero?
  • BlogGet the latest
  • Start HereStartup 101
  • SpeakingPodcast & Media
  • ResourcesTools to help You
    • Reselling WordPress Hosting
    • Resell Hero
    • How To Start A Blog
  • NameHeroCloud Web Hosting

Disallow REST API Username Enumeration in WordPress

By Bhagwad Park on October 14, 2020 0

Disallow REST API Username Enumeration in WordPress

WordPress allows programmatic access to its metadata. This means that 3rd party software can connect to it using APIs and not directly through the web interface. It’s useful, because it allows all kinds of cool functionality. For example, Jetpack uses either XMLRPC or REST APIs to obtain all kinds of information about your installation and take remote actions. Like everyone else, you should probably disable XMLRPC whenever you get the chance.

The REST API is yet another endpoint, which allows others to probe your website. One of these is username enumeration. Using a URL structure like this for example:

https://www.example.com/wp-json/wp/v2/users/5

Allows users to get information about the 5th user on WordPress.

The REST API Allows for Username Enumeration on WordPress
The REST API Allows for Username Enumeration on WordPress

You just need to change the number to get the rest of the users. On some of my WordPress installations, I can easily see hundreds of such requests per day. Cloudflare’s WAF doesn’t stop them, because they’re viewed as legitimate.

The WordPress Team Doesn’t Think it’s a Problem

It’s easy to understand why you might not want random people to be able to just extract not just the usernames, but also the full display names of everyone on your blog. After all, if all you require for site access is a username and password, knowing the username is like knowing half the key.

The classic “security” oriented answer to this problem is that it doesn’t matter if your username is exposed as long as you have a strong password. The reasoning is that no-one relies on ignorance of the username as a security measure. If your password is secure, that’s all that matters. However, this ignores a few additional variables.

First, like it or not, lots of people have insecure passwords. WordPress tries its best to force you to have complex passwords, but no doubt some keep them simple. For these individuals, keeping their username secret is undoubtedly helpful.

Second, knowledge of the username encourages further attacks against your login page. Without the username, a hacker won’t even bother trying to flood your page with XMLRPC attacks. Or try to repeatedly access your wp-login.php page. Either that, or they give up pretty soon when they find that your username doesn’t fit into a certain number of common names.

Keeping your username secure is just a good idea in general. And I don’t like the fact that WordPress allows its enumeration via the REST API. Here’s how I use Cloudflare Firewall rules to block them.

Using Cloudflare Firewall Rules to Block REST Username Enumeration

Under the “Firewall” section of Cloudflare’s dashboard, you can create a new rule with parameters like this:

Creating a Firewall Rule on Cloudflare to Block the REST API
Creating a Firewall Rule on Cloudflare to Block the REST API

Specify that the condition for the rule to trigger is that the full URL must match:

/wp-json/wp/v2/users/

And then choose “Block” as the action. Save your rule, give it a minute or so to take effect, and then try and access the REST API again to find out the username. Here’s what you should see:

Username Enumeration Disabled
Username Enumeration Disabled

Cloudflare now neatly blocks all username requests. The best part about this method is that it doesn’t stress your site. I prefer to offload as much processing power to Cloudflare as possible, so that my site can be left free to deal with important stuff – like serving pages to users! Of course, you can also achieve the same effect via .htaccess rules, or even with custom WordPress code that removes the REST API endpoints. But I prefer to keep things simple and let Cloudflare handle the job for me.

I suggest you do the same. Block XMLRPC, block the REST API, and hide your login page. After all, why give anyone information about your site to free? Let them earn it!

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Connect With Us!

Superhero Resources

Fix Common Issues

  • How To Setup Free And Automatic SSL Certificates
  • How To Setup Cloudflare With Railgun
  • How To Fix Memory Exhausted Errors In WordPress
  • How To Edit PHP Version/Upload Limit/Add Extensions
  • How To Move/Migrate Your Business To Name Hero

Free Guides

  • How To Setup NameHero Hosting
  • How To Create A Web Hosting Business With WordPress
  • How To Start A WordPress Blog
  • How To Migrate WordPress To A VPS
  • How To Speed Test And Optimize Your WordPress Website
  • Magento 2.X Installation Guide
  • How To Clean Up A WordPress Hack

Training

Recent Posts

  • Why I Don’t Use Two Factor Authentication
  • Filtering Out “replytocom” Bots On WordPress
  • Five Years Straight Of 99.9% Website Uptime – NameHero
  • What Can You Do To Improve Mobile Load Times?
  • The Challenges Of Rate Limiting For Websites
  • When Hosting Location Doesn’t Matter (And When it Does)
Subscribe in a reader
  • Web Hosting
  • WordPress Hosting
  • Reseller Hosting
  • VPS Hosting
  • Twitter
  • Facebook
  • LinkedIn
  • YouTube
  • FTC Disclosure
  • Earnings Disclosure
  • Privacy Policy

Copyright © 2021 · Smart Passive Income Pro on Genesis Framework · WordPress · Log in