WP Author Security

描述

WP Author Security is a lightweight but powerful plugin to protect against user enumeration attacks on author pages and other places where valid user names can be obtained.

By default, WordPress will display some sensitive information on author pages.
The author page is typically called by requesting the URI https://yourdomain.tld/?author=<id> or with permalinks https://yourdomain.tld/author/<username>.
The page will include (depending on your theme) the full name (first and last name) as well as the username of the author which is used to log in to WordPress.

In some cases, it is not wanted to expose this information to the public. An attacker is able to brute force valid IDs or valid usernames. This information might be used for further attacks like social engineering attacks or log in brute force attacks with gathered usernames.
However, when using the plugin and you disable author pages completely it must be noted that you need to take care that your active theme will not display the author name itself on posts like “Posted by admin” or something like that. This is something the plugin will not handle (at the moment).

By using the extension, you are able to disable the author pages either completely or display them only when the author has at least one published post. When the page is disabled the default 404 error page of the active theme is displayed.

In addition, the plugin will also protect other locations which are commonly used by attackers to gather valid user names. These are:

  • The REST API for users which will list all users with published posts by default.
    https://yourdomain.tld/wp-json/wp/v2/users
  • The log in page where different error messages will indicate whether an entered user name or mail address exists or not. The plugin will display a neutral error message independently whether the user exists or not.
  • The password forgotten function will also allow an attacker to check for the existence of a user. As for the log in page the plugin will display a neutral message even when the user does not exists.
  • Requesting the feed endpoint /feed of your blog will also allow others to see the username or display name of the author. The plugin will remove the name from the result list.
  • WordPress supports so-called oEmbeds. This is a technique to embed a reference to a post into another post. However, this reference will also contain the author name and a direct link to the profile page. The plugin will also remove the name and link here.
  • Since WordPress 5.5 a default sitemap can be reached via /wp-sitemap.xml. This sitemap will disclose the usernames of all authors. If this should not be disclosed you are able to disable this feature of WordPress.

屏幕截图

  • Admin settings
  • 404 page when requesting author page by user ID.
  • Log in error message when the user name exists but a wrong password is entered.

安装

  1. Install the plugin via the Dashboard Plugins -> Add new or upload the plugin’s folder ‘wp-author-security’ from the zip into your WordPress plugin folder wp-content/plugins/ (e.g. via ftp)
  2. Activate the plugin in the WordPress backend
  3. Customize the settings by navigating to Settings -> WP Author Security

评价

此插件暂无评价。

贡献者及开发者

“WP Author Security” 是开源软件。 以下人员对此插件做出了贡献。

贡献者

“WP Author Security”插件已被翻译至4种本地话语言。 感谢所有译者为本插件所做的贡献。

将“WP Author Security”翻译成您的语言。

对开发感兴趣吗?

您可以浏览代码,查看SVN仓库,或通过RSS订阅开发日志

更新日志

1.4.1

  • Bugfix error on login check

1.4.0

  • added protection for the wp-sitemap.xml author disclosure

1.3.0

  • added protection for the /feed endpoint
  • added protection for the oEmbed endpoint

1.2.1

  • updated documentation
  • bugfix wrong mail detection

1.2.0

  • added protection for log in and password forgotten page
  • added language support for de/en

1.1.0

  • added protection for REST API

1.0.0

  • initial release