How to Stop Hackers From Discovering Usernames and Passwords on Your WordPress Website
Are you scared that hackers could discover the usernames on your WordPress site and gain access to it? If you're not, you should be, because scanning sites to discover usernames is a standard tactic for hackers.
When hackers discover a real username used on your WordPress website, they can crack the password using brute force and dictionary attacks to gain access to the site. From there, they can assume direct control of your website and cause all kinds of trouble, like stealing data, redirecting visitors to fake websites loaded with malware, send out spam emails, and more.
In this article, we'll talk about how to prevent that.
To learn how to defend our Word Press sites we must first understand what User Enumeration is because it can increase the odds of a successful brute force attack on your site.
Table of Contents
What is User Enumeration?
Username enumeration is the methods hackers use to find users of a WordPress site. They can scan the targeted WordPress website and collect user credentials, which they will then use to try and log in.
All user credentials are stored in your WordPress site database, but hackers normally do not have to access your database and can't view them. Hackers usually try to discover the user credentials by looking at author names and the email addresses on the WordPress site, but there are several types of user enumeration, and we need to look at all of them to understand how to best defend against them.
By accessing Author Archives
Every user on a WordPress site has a specific ID, which WordPress stores in an author archive. The author archive essentially categorizes pages and posts according to who created it. Hackers can run unique scripts on your WordPress site to access the author archive view user IDs. From that, they can discover the username linked to the user ID.
Through the Login Form
WordPress displays different messages whenever you try to log in depending on whether the username entered exists in the database or not. Hackers have tools they can use to load a list of possible usernames to find a real one based on the prompt they get from WordPress.
How to prevent User Enumeration
You can stop user enumeration either by using a plugin or by manually inserting a snippet of code into your WordPress files. We do not recommend the manual method because it’s extremely risky. The slightest misstep can break your website. However, we will detail the steps for both.
Download and install the Stop User Enumeration Plugin
As the name suggests, you can install this plugin to protect your site from User Enumeration. It can be found in the WordPress repository. Also, you can use this plugin to log IP addresses that are attempting to enumerate users on your site. Assuming you have a firewall installed on your website, add those addresses to the list of IP address the firewall is blocking
Block User Enumeration manually
-
- First, back up your WordPress site.
- Log in to your hosting account, and navigate to cPanel > File Manager.
- Open the public_html folder, navigate to wp-content and access your theme's folder. You have to select the theme that is active on your site.
- Now you can access your theme's function.php file. Right-click and edit this file.
- Enter the following code: /*** Block User Enumeration*/function kl_block_user_enumeration_attempts() {if ( is_admin() ) return;$author_by_id = ( isset( $_REQUEST['author'] ) && is_numeric( $_REQUEST['author'] ) );if ( $author_by_id )wp_die( 'Author archives have been disabled.' );}add_action( 'template_redirect', 'kl_block_user_enumeration_attempts' );
- Exit and save the changes.
User enumeration will be blocked on your website now.
Note: We recommend that you do not do this method if you are not confident in your technical skills.
