By Joe Cress & Howard Wu, Trava
WordPress leaks information in many ways and it is very easy for attackers to find anything from usernames to plugin information.
WordPress leaks information in many ways and it is very easy for attackers to find anything from usernames to plugin information. There isn't a way to fully prevent all of it, however, there are ways you can reduce the chance of being targeted by attackers. Follow the below information to help determine your website's risk.
Server headers often give a good clue about what kind of web server or hosting provider a website is running. Once we know the hosting provider, we can start examining their security for weaknesses.
XML-RPC is enabled on this site. XML-RPC needs to be disabled on a majority of WordPress sites unless you have a specific reason for it to stay enabled. This is enabled by default and can allow DDoS attacks to take place.
On a similar note. WordPress by default uses a feature called permalinks which are permanent URLs to individual posts and pages ( i.e. http://example.com/?p=1234). This feature makes user enumeration work extremely easy on WordPress sites.
WordPress also allows you to list all the posts by the author’s names (i.e. http://wordpress.com/author/ja...). Furthermore, WordPress also allows you to refer to authors using their ID which then redirects them to the URL with their usernames on it. This makes attackers very easy to exploit this functionality to get a hold of which usernames are associated with a particular WordPress site.
You can easily identify the WordPress version the site is running. In this example, you can see the site is running WordPress 5.4.10, which you can then discern if there are vulnerabilities in that version of WordPress
Identifying the WordPress theme will allow you to understand if they are running a vulnerable version of the theme.
Finding a list of plugins and versions is a very high priority for an attacker. With this information, you can identify some of the plugins a site is running. You can also learn the version of these plugins to determine if there are any vulnerabilities.
Finding a list of users is an enormous win for an attacker. Some WordPress site owners even use email addresses as usernames. Once you have a list of users, you can initiate a brute-force, social engineering, or another kind of attack with that information and a little bit of internet research. In this example, you can see there is a username “joe-cress” which would imply a first and last name. A simple Google search has the ability to find that person and learn more about them to potentially engage them in a social engineering attack to attempt to have them give up credentials or other information about this site.
WordPress leaks usernames in many ways and it is very easy for attackers to enumerate and find information on users. There isn’t a way to fully prevent user enumeration, however, there are ways you can reduce the chance of being targeted by attackers. By making the enumeration process harder for the attackers will certainly reduce your chances of the attack surface. It’s always a good idea to disable WordPress XML-RPC if you’re not using this feature. This feature can cause brute force attacks as well as DDoS attacks on your site. It’s also a good idea to configure your web server to block requests to /?author=<#> so that it won’t leak any usernames or ID. And lastly, to check that the admin login page (/wp-admin and /wp-login.php) are not open to the public internet. This could easily allow attackers to brute force or conduct injections to gain access as administrator.
