Wordpress Login Enumeration
Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names. User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name.
Did you know? All your burning filmmaking questions have answers. Find them in Vimeo Video School.
Block WordPress Login Enumeration, Fix WordPress User IDs and User Names Disclosure: This first security fix is the one I am really surprised is not in any security plugins that I checked out. It is definitely possible that the changes I recommend below break something else on your WordPress site however I have been testing this and been unable
Testing for User Enumeration and Guessable User Account (OWASP-AT-002) From OWASP in which we verify if, given a valid username, it is possible to find the corresponding password. Often, web applications reveal when a username exists on system, either as a consequence of a misconfiguration
If we disable enumeration an attacker now has to not only guess a password, but a username too. The work of writing 10 LOC to harden millions of websites seems trivial. I am just having a hard time understanding why WP wants to invite so much risk for literally no reward and zero development costs.
And with the way WordPress responds to failed login attempts it is very easy for attackers to automatically determine if a username exists or not on the target WordPress website. Username Disclosure is a Vulnerability in the Non WordPress World