Not that urgent, but thought I would highlight.
Error log = PHP Warning: Array to string conversion in /wp-includes/functions.php on line 3875
25-Sep-2024 06:41:48 UTC] Title at line 3873: Array
(
[response] => 403
)
Backtrace: 0 public_html/wp-includes/functions.php:3873 – debug_title_value 1 public_html/wp-includes/functions.php:3787 – _default_wp_die_handler 2 public_html/wp-content/plugins/stop-user-enumeration/frontend/class-frontend.php:67 – wp_die 3 public_html/wp-includes/class-wp-hook.php:324 – Stop_User_Enumeration\FrontEnd\FrontEnd::check_request 4 public_html/wp-includes/class-wp-hook.php:348 – WP_Hook::apply_filters
–
something to do with – wp_die( esc_html__( ‘forbidden – number in author name not allowed = ‘, ‘stop-user-enumeration’ ) . esc_html( $author ), array( ‘response’ => 403 ) );
]]>I am using your plugin in addition to NinjaFirewall security. In the log I notice there are quite a few entries for “User enumeration scan (author archives)”, which then shows a real username from my website. Shouldn’t this plugin prevent malicious access to author names and not allow user enumeration scans at all?
]]>I have installed your plugin on one of my WordPress websites, and it has been working wonderfully. However, I��ve encountered a minor issue that I wanted to bring to your attention.
I monitor my server’s status using Grafana, and recently, I noticed a significant increase in 500 Internal Server Errors on the server hosting my WordPress site. After investigating the Apache logs, I discovered that there wasn��t actually a problem with the server itself. Instead, a bot was repeatedly trying to perform user enumeration by sending requests with ?author=ID.
While Stop User Enumeration successfully blocked these attempts, it logged them as internal server errors, which is somewhat misleading. I believe this behavior might be related to the following function:
public function check_request() {
/*
* Validate incoming request
*
*/
/* phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request */
if ( ! is_user_logged_in() && isset( $_REQUEST['author'] ) ) {
/* phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request */
$author = sanitize_text_field( wp_unslash( $_REQUEST['author'] ) );
/* phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request */
if ( $this->ContainsNumbers( $author ) ) {
$this->sue_log();
/* phpcs:ignore WordPress.Security.NonceVerification -- not saved just logging the request, not form input so no unslash*/
wp_die( esc_html__( 'forbidden - number in author name not allowed = ', 'stop-user-enumeration' ) . esc_html( $author ) );
}
}
}The function wp_die by default returns a 500 error. Do you think it would be more appropriate if it instead returned a 403 forbidden status? Something like:
wp_die(
esc_html__( 'forbidden - number in author name not allowed = ', 'stop-user-enumeration' ) . esc_html( $author ),
esc_html__( 'Forbidden', 'stop-user-enumeration' ),
array( 'response' => 403 )
);So I have a WordPress 5.3.18 Multisite installation. I have version 1.3.20 of this plugin installed, and I observed something peculiar.
Visiting /wp-admin/network/plugins.php?plugin_status=upgrade it says in the submenu where you can select between active, inactive and available updates, that there should be two plugins in the list. However, only one plugin shows up. Your plugin “Stop user enumeration” doesn’t show. This seems to be the only one of our plugins I can’t seem to find in that list.
However, in the plugin list on the URL /wp-admin/network/update-core.php it does show up.
I’m therefor a bit hesitant to try and update this plugin to the newest version, 1.6.1 of this plugin, from the GUI since it seems something may be wrong with it on the current installation? Any ideas how to resolve this, or is it normal?
I also notice your plugin makes use of composer, is composer update also automatically handled when updating the plugin from /wp-admin/network/update-core.php ?
]]>I don’t use Fail2Ban, but I have the setting log attempts to AUTH LOG checked. From my understanding of the functions check_request and sue_log, any attempt at enumeration like /?author=123 should be logged. Is that correct? What should these entries look like? Where should they be logged? While the plugin does indeed block these attempts, I don’t see anything in the logs.
Hi,
fail2ban filter does not work anymore with the last update (“wordpress” has been replaced in the auth.log by the website domain name). Can you update the filter file for fail2ban ?
Br,
]]>Hi!
We’ve found that your plugin is very eager to block any REST route that matches the simple regular expression users. This conflicts with a plugin we use for our mobile apps to register via REST to our WP backend. The required endpoint is located at .../wp-json/simple-jwt-login/v1/users and because this is an endpoint used for people to register via the REST API there is no way to satisfy the rule of being logged in when accessing it.
Is there a chance to implement an excluded path list that your plugin will simply not enforce the mandatory login for access?
Thanks, Mickey
]]>Hi,
it seems that get_ip that rely on getenv() is not working on my configuration.
I’ve set up a workaround, adding below your test also these (same as yours, but with $_SERVER variable):
if ( $_SERVER[ ‘HTTP_CF_CONNECTING_IP’ ] ) {
$ipaddress = $_SERVER[ ‘HTTP_CF_CONNECTING_IP’ ];
} elseif ( $_SERVER[ ‘HTTP_CLIENT_IP’] ) {
$ipaddress = $_SERVER[ ‘HTTP_CLIENT_IP’ ];
} elseif ( $_SERVER[ ‘HTTP_X_FORWARDED_FOR’] ) {
$ipaddress = $_SERVER[ ‘HTTP_X_FORWARDED_FOR’ ];
} elseif ( $_SERVER[ ‘HTTP_X_FORWARDED’] ) {
$ipaddress = $_SERVER[ ‘HTTP_X_FORWARDED’ ];
} elseif ( $_SERVER[ ‘HTTP_FORWARDED_FOR’] ) {
$ipaddress = $_SERVER[ ‘HTTP_FORWARDED_FOR’ ];
} elseif ( $_SERVER[ ‘HTTP_FORWARDED’ ] ) {
$ipaddress = $_SERVER[ ‘HTTP_FORWARDED’ ];
} elseif ( $_SERVER[ ‘REMOTE_ADDR’ ] ) {
$ipaddress = $_SERVER[ ‘REMOTE_ADDR’ ];
}
I suggest you to add these ones to provide a better compatibility.
Simone.
]]>Hello @alanfuller,
Some weeks ago we installed this plugin into 250+ very heterogenous WP installations. Now in every single of them we see the dashboard message “Hi I’m Alan and you have been using this plugin Stop User Enumeration for a while – that is awesome! Could you please do me a BIG favor and give it a 5-star rating on WordPress? Just to help spread the word and boost my motivation..”.
In some of them we have to click the “Maybe later”, “Already done” or “No thanks, dismiss this request” link twice to get the banner away. After the first click, nothing happens. After the second click the banner is away. This looks like a little bug.
But the real problem is that in our other installations the banner doesn’t get away, no matter how often we click on one of these links. Now we have this banner on the dashboard and other backend pages and don’t get it away.
We use the current version 1.4.9 of the plugin, the current version 6.5.2 of WordPress, PHP 8.1.x and MariaDB 10.5.23.
How can we solve this problem? For us this looks like a clear bug.
Many greetings and thanks for the good work,
-doffine
plugins page redirect to https://www.spiral.uk.com/wp-admin/options-general.php?page=stop-user-enumeration
redirect remains after plugin uninstall
savings settings does nothing to resolve this
]]>Hi,
I am using Wordfence on my WP site, and this week it flagged up 7 changed files withing Stop User Enumeration that seem suspicious to it.
Here is the message it gives me:
File Type: Plugin
Details: This file belongs to plugin “Stop User Enumeration” version “1.4.8” and has been modified from the file that is distributed by www.remarpro.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly.
And here are the files within the plugin that changed (all within the vendor/composer folder):
autoload_static.php
installed.php
InstalledVersions.php
autoload_classmap.php
autoload_psr4.php
autoload_real.php
autoload.php
Can you please tell me why this error is appearing, and whether I should uninstall/reinstall as it suggests?
Thanks,
LS
P.S.: I am using Version 1.4.8 of Stop User Enumeration, and I have all my plugins set to auto-update.
]]>Is the plugin working/tested with WordPress 6.3?
]]>Activating stop-user-enumeration 1.4.6 in PHP 8.2 in WP 6.2-beta1, gives following deprecated warnings.
Deprecated: Creation of dynamic property AlanEFPluginDonation\PluginDonation::$freemius is deprecated in C:\xampp\htdocs\wp\wp-content\plugins\stop-user-enumeration\includes\vendor\alanef\plugindonation_lib\PluginDonation.php on line 50
Deprecated: Creation of dynamic property Stop_User_Enumeration\Admin\Admin_Settings::$donation is deprecated in C:\xampp\htdocs\wp\wp-content\plugins\stop-user-enumeration\admin\class-admin-settings.php on line 36
Deprecated: Creation of dynamic property AlanEFPluginDonation\PluginDonation::$strings is deprecated in C:\xampp\htdocs\wp\wp-content\plugins\stop-user-enumeration\includes\vendor\alanef\plugindonation_lib\PluginDonation.php on line 285Hi, I am using this plugin, and when using this plugin, am I supposed to not see the usernames on https://www.spectrumnews.org/wp-json/wp/v2/users or get blocked from accessing that API endpoint if I’m not logged in? I can see it fine when I’m not logged in. Am I missing something?
]]>Hello and thanks for this plugin.
I have installed and network activated it on a domain based WordPress multisite install.
It works on the main site of the network but not on any other sites of the network.
If I network deactivate it and then activate it site by site, then it works on any site where I individually activated it.
Is this the normal behavior or did I missed something?
]]>I installed this plugin and it seems to clash with the ‘SSH SFTP Updater Support’ plugin from Terrafrost. After installing the ‘Stop User Enumeration’ plugin I was then getting the ‘Updater Support’ form at the top of every page on the website whether I was logged into the site or not logged into the site. The site had been working happily for many months before this.
I tried deactivating and then removing the ‘Stop User Enumeration’ plugin but it was still displaying the ‘Updater Support’ form on every page. The only way I could recover my site back to a usable state was by restoring a backup of the database, to take the site back to before I installed the ‘Stop User Enumeration’ plugin.
]]>Hi,
This plugin doesn’t seem to stop email enumeration via the login error message.
I still get “Invalid username or email.” or “Password reset email has been sent” on a successful email entered.
Is that correct?
]]>Does this plugin do the same as the plugin called Disable Rest API plus more? I have Disable Rest API and I just got this one. I want to know if I can delete Disable Rest API. Thanks.
]]>Hi there, first of all, mega thank you for the plugin.
I noticed the Google fonts is used within this plugin. In Europe, for example Germany, it’s forbidden to used Google Analytics / Google Fonts. WordPress itself is also already removing Google Fonts from it’s default Twenty* themes.
Could you also please remove it from this plugin, for future use.
I dequeued the style, but maybe other uses won’t notices it and may be breaking the law. The already have been given money sanctions in Germany for not complying.
add_action('admin_enqueue_scripts', function(){
wp_dequeue_style( 'stop-user-enumeration-fonts' );
});Kinds regards,
Jaime
]]>hi there,
Thanks for this nice plugin. When I activate the plugin and clear cache I see that the root example.com/wp-json/wp/v2/users is still accessible. So with the link above, someone can still find out the users. How can this be blocked?
]]>Hi
I am using latest version:
Now I have TWO messages.
The refuse to go away and keep showing up which is annoying.
Can this be fixed please?
Thank you.
]]>Hi,
scanned my WordPress installation using the OWASP Dependency-Check (https://owasp.org/www-project-dependency-check/)
The scan showed
CVE-2019-10744 – 9.1 Critical – Prototype Pollution in lodash
https://github.com/advisories/GHSA-jf85-cpcp-j695
found in wordpress/wp-content/plugins/stop-user-enumeration/includes/vendor/alanef/plugindonation_lib/package-lock.json?lodash.template
CVE-2020-28469 – 7.5 High – Regular expression denial of service
https://github.com/advisories/GHSA-ww39-953v-wcq6
found in wordpress/wp-content/plugins/stop-user-enumeration/includes/vendor/alanef/plugindonation_lib/package-lock.json?glob-parent
Could you update your dependencies?
Regards,
Christof
Greetings,
I encountered a conflict with WPS Hide Login after last night’s update of Stop User Enumeration to 1.4.0.
It was breaking the redirect back to wp-admin from the alt login page, after logging in.
Disabling Stop User Enumeration resolved the issue.
I may try reverting to the previous version for time-being.
]]>Dear support,
This plugin usually does the trick (I disable some other stuff as well separately like author sitemaps). But on one site, I can still enumerate one of 4 users using WPScan like so :
[i] User(s) Identified:
[+] firstname-lastname
| Found By: Author Posts - Author Pattern (Passive Detection)
This isn’t the real name of course but it did detect a user with it’s real firstname, hyphen, lastname. This doesn’t correspond to a login nor nickname but does to the real person’s name. Is the plugin supposed to catch this or not?
Kind regards,
Joris.
]]>Hi !
I ran your plugin through a PHP scanner for compatibility with PHP 7.3 and it listed a few things:
]]>
=== Stop User Enumeration ===
File: plugins/stop-user-enumeration/includes/vendor/freemius/wordpress-sdk/includes/sdk/FreemiusWordPress.php
Since PHP 7.0, functions inspecting arguments, like debug_backtrace(), no longer report the original value as passed to a parameter, but will instead provide the current value. The parameter “$pUrl” was used, and possibly changed (by reference), on line 307.File: plugins/stop-user-enumeration/includes/vendor/freemius/wordpress-sdk/includes/class-freemius.php
Since PHP 7.0, functions inspecting arguments, like func_get_args(), no longer report the original value as passed to a parameter, but will instead provide the current value. The parameter “$tag” was used, and possibly changed (by reference), on line 18865.
Since PHP 7.0, functions inspecting arguments, like func_get_args(), no longer report the original value as passed to a parameter, but will instead provide the current value. The parameter “$tag” was used, and possibly changed (by reference), on line 19022.File: plugins/stop-user-enumeration/includes/vendor/freemius/wordpress-sdk/includes/class-fs-logger.php
Since PHP 7.0, functions inspecting arguments, like debug_backtrace(), no longer report the original value as passed to a parameter, but will instead provide the current value. The parameter “$id” was used, and possibly changed (by reference), on line 41.File: plugins/stop-user-enumeration/includes/vendor/freemius/wordpress-sdk/config.php
File has mixed line endings; this may cause incorrect results
I am using WP 5.5 but I cannot disble the 2 options below after saving the settings, other options can be disabled without problems.
Stop REST API User calls
Stop oEmbed calls revealing user ids
Hello,
thank you for this nice little plugin.
However there might be a small bug at the moment, which makes it possible to enumerate users while the plugin is active. When changing a letter case in the query parameter the regex doesn’t work anymore and therefor doesn’t prevent the output.
Used url: example.org/?rest_route=/wp/v2/usErs/
have a nice day
]]>I changed the user��s name, the password, and the email address of the admin, and the hacker keep finding the new user��s name. I deleted all the themes and plugins I am not using. the hacker keeps trying to break in through the XML-RPC gateway.
]]>Aloha, we noticed that WordPress 5.5 introduced a new method of user enumeration in the sitemap feature intended to help search engines index site content:
If you visit /wp-sitemap.xml on any WordPress site, you should see /wp-sitemap-users-1.xml as a link that will list all site users with their /author/username link. These do still appear with this plugin installed and activated.
Looks like the easiest way to remove that is to hook into wp_sitemaps_add_provider. Would be excellent if you could integrate that into this plugin!
Example (from the link above):
add_filter(
'wp_sitemaps_add_provider',
function( $provider, $name ) {
if ( 'users' === $name ) {
return false;
}
return $provider;
},
10,
2
);Hi!
I am searching for a plugin to avoid wpscan listing the users of my blog, and I found yours.
In a first approach, I installed it, and re-launched wpscan, and the users were still there. I read the FAQ and I realized that I was logged in, I logged out and tried again the scan, same result.
My WP version is: 5.6.2
The plugin version: 1.3.29
What am I doing wrong?
Regards and thanks for your time,
]]>