In an out of the box WordPress installation there are several easy methods you can use to identify the usernames. The good thing is that there are several WordPress hacks you can implement to better hide the WordPress usernames, such as the ones mentioned below:
- Rename the default WordPress admin user
- Change the WordPress users’ default ID
- Hide WordPress usernames
The problem still remains though since the above hacks are not bulletproof. They will make it difficult for an attacker to guess a WordPress username, though there are still possibilities for an attacker to guess a WordPress username, as shown in the below example.
WordPress Username Disclosure
When you try to login to WordPress using a non-existing username, the response from WordPress indicates that an invalid username was used. The error message itself is invalid username.
If you try to login to WordPress using a valid username but a wrong password, WordPress’ error message indicates that the password for the specified username is incorrect by retaining the username in the response, therefore disclosing the username. The error message itself also confirms this The password you entered for the username admin is incorrect. For example in the below screenshot when I try to login to WordPress using admin, which is being used in this test installation. Can you spot the difference between the below and the above responses?
Why Is WordPress Username Disclosure a Problem?
WordPress websites are a common victim of brute force attacks. There are several reasons why but mainly this is due to the facts that:
- The URL of the WordPress users’ login page is the same for all the WordPress installations (http://www.example.com/wp-admin),
- By default the username of a WordPress administrator is admin and many users fail to rename it, so it is easy to guess,
- Many users use easy to guess credentials.
Till this day there are many automated scanners lurking around the internet trying to guess WordPress usernames and passwords. Install an audit trail plugin such as WP Security Audit Log and you will be surprised by how many attacks your WordPress gets.
Making WordPress Brute Force Attacks Easier for Hackers
If you guess the username during a brute force attack, the combination of attacks is reduced by 50%. And with the way WordPress responds to failed login attempts it is very easy for attackers to automatically determine if a username exists or not on the target WordPress website.
Username Disclosure is a Vulnerability in the Non WordPress World
Many other vendors such as Microsoft and Cisco have had this same identical problem in the past and addressed it. Many security professionals consider this as a security flaw in WordPress and there have already been several discussions about it. This issue was originally reported in 2009 in CVE-2009-2335 and has also been listed on WordPress track as ticket 3708.
Thought as can be seen from the track ticket the WordPress core team does not think this is an issue because there are many other ways how to reverse engineer a WordPress username. And this is true as highlighted in Enumerating usernames with WPScan. But wouldn’t it be more appropriate to identify all other WordPress user enumeration problems and start addressing them one by one? Even if it is not a security flaw why making it easier for attackers especially when WordPress is such a big target?
Apply the WordPress Username Hacks and Monitor WordPress
As already explained there are a number of WordPress hacks you can use to make it more difficult for an attacker to guess the WordPress username. Even though they are not bullet proof it is still recommended to apply them because they can prolong a WordPress brute force attack.
Why Should You Prolong the WordPress Brute Force Attack?
When you prolong a WordPress brute force attack you are giving yourself more time to identify the attack and take the necessary evasive actions. For example if you keep a WordPress audit trail you can notice the attack in the logs at a very early stage. The less time there is available for an attacker to complete the attack, the more unnoticed their actions are and the higher the chances of a successful brute force attack.
Other Options to Protect the WordPress Login Page
There are several other options available that will help you boost the security of your WordP ress login page. You can implement an additional layer of security by protecting the WordPress login page with HTTP authentication or you can implement two-factor authentication for WordPress.
Hence even though WordPress might not be taking the right stance on this one, or at least that is what many security professionals think, there are still a lot of options available out there.