admin管理员组

文章数量:1429538

Recently I noticed various login attempts being blocked by security plug-in this is pretty much ordinary when the attempt is about non-existent users or default/common user names like the website name, or the classic admin etc..

Since the last week the login attempts (blocked after defined failed logins) were of real users, and the strange thing is that in some cases the users are not exposed in articles/pages as authors. Also consider that user iteration is suppressed, accessing ?author=1 gives no results but a 404 page.

it seems that they have found a different way to iterate users, do you know of any possible exploit that can be used and how to secure the websites?

Recently I noticed various login attempts being blocked by security plug-in this is pretty much ordinary when the attempt is about non-existent users or default/common user names like the website name, or the classic admin etc..

Since the last week the login attempts (blocked after defined failed logins) were of real users, and the strange thing is that in some cases the users are not exposed in articles/pages as authors. Also consider that user iteration is suppressed, accessing ?author=1 gives no results but a 404 page.

it seems that they have found a different way to iterate users, do you know of any possible exploit that can be used and how to secure the websites?

  • users
  • htaccess
  • security
Share Improve this question edited May 3, 2019 at 10:29 fuxia 107k39 gold badges255 silver badges459 bronze badges asked May 3, 2019 at 10:28 NymNym 1 2
  • What plugins are you using? I know Yoast SEO likes to enable Author Archives which are visible in the sitemap_index.xml Have you looked at your REST endpoints as well? You might be leaking data... – FaCE Commented May 3, 2019 at 10:31
  • @FaCE affected websites are not using Yoast. What should I check about possible data leak? – Nym Commented May 3, 2019 at 10:37
Add a comment  | 

1 Answer 1

Reset to default 0

You can use the REST API to list users:

/wp-json/wp/v2/users

Add that to the end of your website URL.

Plugins such as Wordfence can prevent anonymous users from accessing this.

You can also disable the REST API if you do not use it.

本文标签: htaccessIterating users while user iteration is suppressed

版权声明:本文标题:htaccess - Iterating users while user iteration is suppressed 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745527547a2661906.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。