Comments on: WordPress Username Enumeration

By: AskApache

AskApache — Mon, 20 Aug 2007 17:50:58 +0000

Very very cool article! I created a wordpress plugin that you might want to check out and see if your method will still be useful. htaccess password protect wp-admin

By: Security Hub » Blog Archive » Enumeração de usuários no Wordpress

Tue, 14 Aug 2007 10:06:50 +0000

[...] O link para o texto original é este. [...]

By: dyingeyes weblog » Sicherheit bei Wordpress-Benutzernamen

dyingeyes weblog » Sicherheit bei Wordpress-Benutzernamen — Sat, 11 Aug 2007 20:38:44 +0000

[...] von einem lesenswerten (englischsprachigen) Artikel ›WordPress Username Enumeration‹ in BlogSecurity ein paar kurze Anmerkungen zu Verwendung von Benutzernamen in Wordpress – [...]

By: Recommended site for WordPress security

Recommended site for WordPress security — Thu, 19 Jul 2007 12:16:39 +0000

[...] it is not holding back new WordPress holes from disclosure — for example, a new article yesterday showed how to perform enumeration on WordPress installation by brute force, so that valid usernames [...]

By: David Kierznowski

David Kierznowski — Wed, 18 Jul 2007 23:17:57 +0000

Adrian, heh, I can beat that story but its for a drink at the pub evening :)

By: Adrian Pastor

Adrian Pastor — Wed, 18 Jul 2007 17:18:20 +0000

David,

Don’t take my word for it, but I think the 6 chars are a derived from a partial hash (first 6 chars of MD5 hash?) of a random value. Hopefully it’s truly random, otherwise we have

36^6 = 2176782336 combinations

which is a lot! :)

Not too long ago we came across a financial app. The app would generate new passwords when clicking on “I forgot my password” that would be sent to your email. The problem is that the pwds were made of a word from either of the following groups:

- classic musician names
- fruits
- colors

plus two digits. You might think I’m kidding but this is a real story.

By: David Kierznowski

David Kierznowski — Wed, 18 Jul 2007 13:55:35 +0000

Phil, yes, those who implemented our hardening guide (atleast those able to) would be immune to a degree against this attack, nice point!

By: Philipp

Philipp — Wed, 18 Jul 2007 13:17:00 +0000

That vulnerability is the perfect example for a blog which isn't hardened. That attack isn't possible when you hardened your blog. Or it's quite harder to achieve if you have at least password protected your wp-admin area. So for all who didn't considered harden their wp install should rethink their decision.

By: David Kierznowski

David Kierznowski — Wed, 18 Jul 2007 11:43:11 +0000

Adrian, sometimes we underestimate the traditionl brute force approach, awesome article.

It may be interesting to look into the default admin password generation that WordPress recommends when installing a blog. If I remember correctly its 6 characters, all lower-case with digits.