User Enumeration Attacks are techniques with the purpose of finding valid login credentials such as usernames. Although not directly a vulnerability, standard or easy to automatically detect user names make it a easier for attackers to launch brute-force authentication attacks. Security experts will commonly refer to hiding usernames as “Security by Obscurity” which has a negative connotation. We however believe that any security measure that does not interfere with the functionality of your site while thwarting at least some automated attacks contributes to the security and should be considered.
By default, WordPress is vulnerable to user enumeration attempts. Combined with bad password practices user enumeration will make it much more likely for a brute-force authentication attack to be successful. This is why Really Simple SSL will allow you to implement the following security measures to make user enumeration much more difficult:
- Prevent usage of the ‘admin’ username
- Prevent setting the public display name equal to the username.
- Preventing login feedback
- Author pages
Below we will list a few known user enumeration techniques that Really Simple SSL helps to prevent.
Prevent usage of the ‘admin’ username
This setting will prevent the use of ‘admin’ as a username. By default WordPress will create an ‘admin’ user on installation. When you enable this setting in Really Simple SSL, we will check for an ‘admin’ user and change the username. Additionally, the creation of a new user with the name ‘admin’ will be prevented .
Prevent setting the public display name equal to the username
This setting will prevent the creation of users with a username that is equal to the display name. Because display names are easily found on your website, having users with a matching username increases the risk of a user enumeration attack.
Prevent Login feedback
By default, WordPress will provide feedback if a non-existing username is entered or if the username exists, but the password doesn’t. This feedback will make it a lot easier to confirm usernames and guess passwords. Really Simple SSL will allow you to disable this textual feedback. Be aware though that even if the “wrong password” notices are disabled, hackers might be able to determine whether a given username exists for the WordPress website, based on the response time it takes for the site to check the password for an existing user, compared to a user that doesn’t.
Author pages
WordPress will create author pages for each user. The URL for this page contains the username. Using this will require randomly trying url’s with usernames though, this will result in a lot of 404 errors which in itself can be detected and blocked. One very easy way to enumerate authors is to use the author-id pages. (yoursite.com)/?author=(ID). This will redirect the visitor to the corresponding author name. Really Simple SSL will block requests to the Author-ID url when disable user enumeration is enabled.