Is there a setting in Wordpress (or Joomla!) Admin Tools that can be used to Block User Enumeration so usernames cannot be scanned?
John
John
John P.
#31676 Blocking User Enumeration
Posted in ‘Admin Tools for WordPress’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
WordPress version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by on Saturday, 28 September 2019 17:17 CDT
Wednesday, 28 August 2019 10:36 CDT
tampe125
Akeeba Staff
Hello,
yes and no.
Let's start with Joomla. Joomla, by default, is not vulnerable as WordPress to user enumeration. However, if you have user registration enabled, the attacker can try to create a new user with some strange email address (so he will be sure it doesn't exist) and iterate over a list of well known username. In that case Joomla will trigger an error if the user actually exists. This is something doable, but it's not so trivial.
You can easily mitigate this by disabling user registration if it's not needed and user non-trivial usernames for Super Users (for the love of God do not use admin).
WordPress is a different beast: you can easily enumerate all the usernames by simply providing the wrong password. If the user exists, WordPress will say something like Incorrect password for user XXX, while if the user doesn't exists it will say Invalid user account. As you can see it's trivial for an attacker to enumerate all the users.
However Admin Tools in this case can protect you. First of all, you can block users failing to provide the password several times; moreover it can change the "wrong password" message so it will remove the username from the alert.
Hope this helps.
yes and no.
Let's start with Joomla. Joomla, by default, is not vulnerable as WordPress to user enumeration. However, if you have user registration enabled, the attacker can try to create a new user with some strange email address (so he will be sure it doesn't exist) and iterate over a list of well known username. In that case Joomla will trigger an error if the user actually exists. This is something doable, but it's not so trivial.
You can easily mitigate this by disabling user registration if it's not needed and user non-trivial usernames for Super Users (for the love of God do not use admin).
WordPress is a different beast: you can easily enumerate all the usernames by simply providing the wrong password. If the user exists, WordPress will say something like Incorrect password for user XXX, while if the user doesn't exists it will say Invalid user account. As you can see it's trivial for an attacker to enumerate all the users.
However Admin Tools in this case can protect you. First of all, you can block users failing to provide the password several times; moreover it can change the "wrong password" message so it will remove the username from the alert.
Hope this helps.
Davide Tampellini
Developer and Support Staff
🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Wednesday, 28 August 2019 13:50 CDT
pcshost
Can you guide me where to change the "wrong password" message so it can remove the username from the alert?
Grazi, ;-)
Grazi, ;-)
John P.
Thursday, 29 August 2019 02:10 CDT
tampe125
Akeeba Staff
Please take a look at this page of the documentation
Davide Tampellini
Developer and Support Staff
🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Saturday, 28 September 2019 17:17 CDT
System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.