Stop Username enumeration.


Today, our conversation is going to be about preventing username enumeration in WordPress and it became very necessary since there are tools like “Wpscan” available. Displaying username/usernames can be a security threat. There are a couple of ways to stop this username enumeration but I would like to talk about the simplest and the most effective way to do that. Should we begin? 

First of all, I would like to log in to my cPanel and then I will navigate to “File Manager” and then it will show me the files. There is a very important file I am going to edit and that is a hidden file. So, now I will go to settings (located at the top of the file manager), and I have to check/select “Show hidden files” option there. That’s it.  I will go and click “Reload” and it will refresh the file manager. Now, I can see all the hidden files on my drive.

Caution: Deleting/editing anything improperly here might raise you big trouble. So, please be careful.

Please have a look at the images below. 

We will click open “Public_html” folder in the cPanel. I will look for a file named, “.htaccess”. I will right-click on it and from that right click menu, I will choose “Edit”. Yes, I have the .htaccess file open in the “Editor”. Pay attention when you are editing this file (or any important file that contains codes), if there is a key pressed in the keyboard (especially wildcards) and you didn’t notice that and that is typed in the editor before or after the texts or in the middle of the texts, in that file, that might cause you troubles. 

We will go to the very bottom of that .htaccess file where it is an empty area and we will paste the following codes there. Now we will click save and then we will “Close” the editor. Things are done. Now, you cannot enumerate usernames anymore. 

RewriteCond %{REQUEST_URI}  ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ https://novicecamp.com [L,R=301]
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

Note: In those codes above, you are seeing https://novicecamp.com, please delete it and add your domain name (The site you want to protect). And now, please go to cPanel->file manager once again and uncheck “Show hidden files” option, so, hidden files will not be visible anymore. 

All the best.

(Please see related posts below)

4 thoughts on “Stop Username enumeration.

  • March 5, 2019 at 5:06 pm

    Nice post. I was checking constantly this blog and I am impressed! Very useful info particularly the last part 🙂 I care for such info a lot. I was seeking this particular info for a long time. Thank you and best of luck.

    Reply
    • March 5, 2019 at 5:57 pm

      Thank you Margart Barriault and welcome always.

      Reply
  • March 19, 2019 at 2:49 am

    I know this if off topic but I’m looking into starting my own blog and was wondering what allis needed to get set up? I’m assuming having a blog like yours would cost a pretty penny?I’m not very web smart so I’m not 100 certain. Any recommendations oradvice would be greatly appreciated. Appreciate it

    Reply
    • March 23, 2019 at 1:37 pm

      Hello “Stefany Cholakyan”. I started this website with a very cheap hosting plan, it is about $2.5 a month for hosting and I paid about $8 for the domain and it is for a year and each year, I will have to renew it paying the same amount. After that, I installed WordPress and I chose a very stable theme, I used “colormag” theme here and it comes for free and I made a child theme of it soon after I installed WordPress. It would not cost you much to start a website, WordPress offers almost everything for free, all the tools and guidance that you might need. Here I also write often about WordPress. And even if you need more help regarding WordPress or any website, you could easily comment here. You are always welcome. All the best.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *