Default WordPress install leaks user login name – avoid ?author=1 attack

Did you know that you can obtain WordPress user login names with a simple parameter url?

I have only been using WordPress for the last two years, but I never realized how easy it is to find a user login name. This would seem to me to be a major security flaw and should be addressed by WordPress as soon as possible. I have yet to research this in full, and WordPress might already have a fix in store but I will have to keep an eye out to see.

The attack

The default WordPress install as of 4.3.1 does ask you for a unique name for the initial administrative user and does not allow you to use “admin” as the name. By default you are supposed to use a strong password for all accounts on the system, however there is an option to check a box to allow a weak password. I see that WordPress is trying to keep it easy for someone to use, but I am not convinced a user could not at least come up with a somewhat longer and harder to guess password. In order to login to a WordPress installation, you have to have the user name and the password. But what if you can obtain the user name with almost no effort and then attempt to do a slow brute force attack to guess the password for the account (knowing full well that there is a high possibility the user choose a weak password). Believe it or not, this is an easy hack if given enough time to run through a password dictionary (a list of commonly used passwords).

In the area where you type your website url, add the following to the end

?author=1

and hit go. WordPress will display the lists of posts by the author with an id=1 in the database, but use the “nicename” which by default is the same as your user login name for that author.

Example:

http://www.example.com/?author=1

displays

http://www.example.com/author/admin

Now you know the user login name to try is admin and try to figure out a password for the account.

The Fix

There are a couple ways that I know about as a simple fix to this problem. First, you can install a security plugin like Sucuri.net or WordFence that blocks the ?author=1 hack. Second, you can edit the user table entries in the database. If you change the “nicename” for every user to not be the same as the login name, then when ?author=1 is used the /author/[nicename] will display as you have typed it. Warning, do not use special characters or spaces in a “nicename”. I have successfully used a dash between words with no problem, but I would NOT suggest using other characters (especially the question mark and ampersand).

If you would like a tutorial on how to edit the user table, let me know and I will do my best to work on the video for it.

Enjoy your WordPress install and stay safe!