WordPress – User Disclosure

Description

The site displays usernames that are suggested to be concealed in order to prevent User Disclosure.

Bussines Impact

An attacker could use failed login attempts which allows remote attackers to enumerate valid usernames in order to use it for further attacks such as phishing attempts, brute-force attacks, etc.

Recommendation

To prevent this vulnerability from happening:
1. Use policies to enforce strong WordPress passwords.
2. Enable 2FA with a WordPress two-factor authentication plugin.
3. Add HTTP authentication for the WordPress login page.
Also, make sure to rename the admin account to something else to reduce the chance of a successful brute force attack.

More Details

Web applications usually use an authentication mechanism to prevent unauthorized/anonymous users’ access to the application’s protected resources and functionalities.
Attackers will try to find flaws in the authentication mechanism to get into the protected resources and functionalities.

Username enumeration is one of the most popular attacks that are performed on the authentication mechanism to identify the valid usernames on the system.

Reference

What is a CWE ?

Similar to the article written on CVEs, in this article we will answer the questions :What is CWE ? and, what is the difference between

Read More »