Last Chance: Cyber Monday 40% OFF

Days
Hours
Minutes

USE CODE: CM2022

Tackle WordPress weaknesses and fortify your website Learn more

User Enumeration Attacks are several brute-force techniques with the purpose of guessing or confirming login credentials such as usernames, e-mail addresses and passwords.

By default, WordPress is vulnerable to such User Enumeration attempts. Of course, bad username and password practices will have an even greater impact on this vulnerability. This is why Really Simple SSL will advise you to implement the following security measures:

  • Prevent usernames like ‘admin’ for users with the administrator role.
  • Prevent setting the public display name equal to the username.
  • Enforce strong passwords.

Besides the basic measures mentioned above, brute-force user enumeration attacks will go to a greater extent in order to acquire login credentials and ultimately gain access to a website’s backend. Below we will list a few known user enumeration techniques that Really Simple SSL helps to prevent.

Login feedback

By default, WordPress will provide feedback if a non-existing username is entered or if the username exists, but the password doesn’t. This feedback will make it a lot easier to confirm usernames and guess passwords. Really Simple SSL will allow you to disable this textual feedback. But even if the “wrong password” notices are disabled, hackers are able to determine whether a given username exists for the WordPress website, based on the response time it takes for the site to check the password for an existing user, compared to a user that doesn’t.

Author pages

WordPress will create author pages for each user. The URL for this page contains the username. Additionally, usernames could be confirmed by making a request to (yoursite.com)/?author=(ID)

Table of Contents

Peter Tak

Peter Tak

Security Officer at Really Simple Plugins

Read More

Advanced Security

Tackle WordPress weaknesses and fortify your website. New hardening features!

Definitions

Want to know the in and outs of security jargon? Get to know our features.

Premium support will offer assistance in 24 hours. If you need help, or have any questions just contact our awesome support team/

Related articles