WordPress – User Disclosure

Description

During the scan, Kayran managed to find the WordPress – User Disclosure vulnerability. It has found that the site display usernames that should be concealed in order to prevent User Disclosure.

An attacker can abuse the WordPress – User Disclosure by using failed login attempts which allows him to enumerate valid usernames in order to use it for further attacks such as Phishing attempts, Brute-Force attacks, etc.

Web applications usually use an authentication mechanism to prevent unauthorized/anonymous users from accessing to the application’s protected resources and functionalities. Attackers will try to find flaws in the authentication mechanism to get into the protected resources and functionalities. Username enumeration is one of the most popular attacks that are performed against authentication mechanisms to identify the valid usernames on the system.

Recommendation

To prevent this vulnerability from happening:

  • Use policies to enforce strong WordPress passwords.
  • Enable 2FA with a WordPress two-factor authentication plugin.
  • Add HTTP authentication for the WordPress login page.
  • Restrict access to the login page (/wp-admin/) section to unauthorized IP addresses.

Also make sure to rename the admin account to something else to reduce the chance of successful brute force attacks.

References

https://wordpress.org/support/article/updating-wordpress/

< Return to all Vulnerabilities

Using VPN

What is a VPN? Why should someone be using VPN? Which Problems does is solve? and what is the advantages and disadvantages of it? Let’s

Read More »

The Dark Web

Let’s talk about the darker and more mysterious side of the internet, also known as The Dark Web. You’ve probably heard about it, whether it’s

Read More »