Support

Admin Tools for WordPress

#31676 – Blocking User Enumeration

Posted in ‘Akeeba Admin Tools for WordPress’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Wednesday, 28 August 2019 09:22 CDT
Is there a setting in Wordpress (or Joomla!) Admin Tools that can be used to Block User Enumeration so usernames cannot be scanned?

John
 John P.
pcshost
Wednesday, 28 August 2019 10:36 CDT
Hello,

yes and no.
Let's start with Joomla. Joomla, by default, is not vulnerable as WordPress to user enumeration. However, if you have user registration enabled, the attacker can try to create a new user with some strange email address (so he will be sure it doesn't exist) and iterate over a list of well known username. In that case Joomla will trigger an error if the user actually exists. This is something doable, but it's not so trivial.
You can easily mitigate this by disabling user registration if it's not needed and user non-trivial usernames for Super Users (for the love of God do not use admin).

WordPress is a different beast: you can easily enumerate all the usernames by simply providing the wrong password. If the user exists, WordPress will say something like Incorrect password for user XXX, while if the user doesn't exists it will say Invalid user account. As you can see it's trivial for an attacker to enumerate all the users.
However Admin Tools in this case can protect you. First of all, you can block users failing to provide the password several times; moreover it can change the "wrong password" message so it will remove the username from the alert.

Hope this helps.


Davide Tampellini

Developer and Support Staff



Italian: native

English: good



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



tampe125
Wednesday, 28 August 2019 13:50 CDT
Can you guide me where to change the "wrong password" message so it can remove the username from the alert?

Grazi, ;-)

 John P.
pcshost
Thursday, 29 August 2019 02:10 CDT
Please take a look at this page of the documentation


Davide Tampellini

Developer and Support Staff



Italian: native

English: good



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



tampe125
Saturday, 28 September 2019 17:17 CDT
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
system
This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Cookies Notification - Action required

This website uses cookies to provide user authentication and improve your user experience. Please indicate whether you consent to our site placing these cookies on your device. You can change your preference later, from the controls which will be made available to you at the bottom of every page of our site.