Disable Users Enumeration checked, new user name discovered

Hi, do you have one of the following features enabled under Brute Force?

Rename Login Page
Cookie Based Brute Force Prevention

Thank you

• This reply was modified 5 years, 5 months ago by mbrsolution.

Hi…
I’ve considered renaming the Login Page but decided to stick with the basics for now. Been using iTheme’s security on other sites but really like some of the features you have – this is my first installation of ‘All In One’.
And I have not even looked at “Cookie Based Brute Force Prevention”.

That said, not sure why you asked as I presume neither of those would be leaking user names.
Obviously moving the login page could help but it doesn’t address the question of how the names are being found.

Thanks

Hi,

That said, not sure why you asked as I presume neither of those would be leaking user names.

This feature allows you to change the login URL by setting your own slug and renaming the last portion of the login URL which contains the wp-login.php to any string that you like.

By doing this, malicious bots and hackers will not be able to access your login page because they will not know the correct login page URL.

but it doesn’t address the question of how the names are being found.

Have you enabled Disable Users Enumeration: under Miscellaneous -> Users Enumeration? They might also try this method to access your login credentials.

Let me know if the above helps you further.

Kind regards

Yes, I’m considering changing the login url but I’m really curious what is exposing the user names. And as noted at the start, ‘Disable Users Enumeration’ is selected and a simple author URL check results in: “Accessing author info via link is forbidden” so enumeration seems to be blocked.

It’s all rather odd…

Hi, there might be another plugin revealing this information in your site. Have you checked your other plugins?

Regards

Not many plugins and all are quite mainstream but sadly I think this is the only possibility.

Kind of a pain though… Typically troubleshooting plugins can be quick, disable, test and move on but in this case I need to leave each one disabled long enough (a few hours anyway) to see if a newly created user name is discovered.
That said, I rather suspect Yoast, the seo plugin, which could easily be shut off for some hours. I don’t have access now but it’s the only one I can think of that might be interested in publicizing that sort of metadata. Off the top of my head the others are;
Contact form 7
Redirection
Popup Maker
WP maintenance
BackupBuddy
Comet Cache
WP Maintenance Mode

The only other thing I can think of is Google recaptcha v3.

Got work to do…

Btw, the quick responses are very much appreciated!!!

Okay, keep me posted.

Btw, the quick responses are very much appreciated!!!

Thank you

Kind regards

Well, it seems I may be correct, that Yoast SEO is the culprit – at least it’s an obvious place to start.

– Under Yoast SEO General Settings is an option for ‘XML sitemaps’ which is on by default.
– The default for their sitemaps includes a ‘/author-sitemap.xml’ link, which by default includes any authors that have content associated to them.
This is not necessarily an issue but what makes it a bit more onerous is that the links are the user name, not the Nickname or Display name and as best as I can tell, there is no UI access to make that change but I am inquiring.

Yoast sitemaps can be entirely turned off and any number of other systems can be used to generate a sitemap. It’s also possible to just eliminate the authors link from the sitemap by turning off ‘Author archives’ on the Archives tab of the ‘Search Appearance’ page. This is where I’m starting.
Additionally, if Author archives is active, it reveals a Yoast setting on each users’ profile page, ‘Do not allow search engines to show this author’s archives in search results.’ Checking that will remove that user from the Author archives section on the Yoast sitemap.

Time to create a new user and see what happens…

Thank you for keeping me posted. That is a very interesting finding. Lets see what happens when you add a new username to your site.

Kind regards

So I did a bit of reading and Yoast confirms

By default, WordPress uses the username for the author archive page URL. Yoast SEO uses the same archive URL when building the sitemap.

I had never looked before but there are a few plugins that can address this and Yoast will follow that change when building the sitemap.
I guess for a site that needs to display author names, one of the plugins would make sense as changing the behavior in php is indeed a bit complicated.

In the meantime, within an hour of deactivating Author archives, lockouts slowed to a trickle – just 6 over the last 10 hours and all of those are the first username that was in use before I started on this path.

Seems like a good WordPress feature, to manage the creation of a username and a display name during account creation and then using the display name for all public facing actions. Would help with security, could make for more attractive name display and by having it done at account creation, duplicates could be easily prevented.

Still, it might be a nice feature for All In One WP Security.

• This reply was modified 5 years, 5 months ago by manOmedia.

Thank you for reporting back. This will definitely help others that run into the same issue as you.

Is your issue now resolved? If it is can you mark this support thread as resolved.

Thank you

Well… That was short lived.

The new user name has leaked out – there are about 160 ‘Failed Login Records’ from the last 15 hours or so. Though interestingly, the ‘Locked IP Addresses’ list only shows actual lockouts from an older user name.

Searching the page source content of all the public pages and posts does not reveal the user name and the WP database only shows the username as saved in three tables:
146 matches in; prefix_aiowps_failed_logins
1 match in prefix_aiowps_login_activity
1 match in prefix_users

So I guess I’m back to analyzing the plugins:
BackupBuddy
Comet Cache
Contact form 7
Popup Maker
Redirection
WP Maintenance Mode

But again, none seem likely to be revealing user names.

Not sure if this should be marked ‘resolved’ or not. The leaking seems unrelated to AIOWPS but its still happening. I guess it could be marked resolved and I could still add to it if I discover another culprit?

Hi, you might have to contact your host about this issue. See if they can share some light.

Kind regards

Just for kicks I did talk with my host – They said what we already decided, that it’s very likely one of the plugins and they had a few ideas of more likely culprits but my gut was still on Yoast.

This is somewhat anecdotal but it seems that with Yoast SEO disabled (no other changes), no usernames were extracted from the site but with Yoast SEO enabled, even with Yoast’s Author archives turned off, user names were detected.

What I did was:
– Disable Yoast SEO
– Create a new user
– Delete the old user
– Assign all the content to the new user and Wait…

During the next 24 hours+, no logins were attempted with the new username.
I then reactivated Yoast and within about an hour, that new username started showing up on the list of blocked login attempts.

What this seems to indicate is that while the default condition of WordPress is to show usernames, it is possible to block their exposure. But apparently there is another access point via Yoast.

More to come I guess…

Thank you for the latest report. This is going to help others and maybe workout exactly which plugin is causing this issue. From what you have reported so far, it looks like Yoast SEO is causing this problem. If it turns out to be Yoast SEO, I suggest that your open a support ticket and report this to the developers.

I don’t use Yoast SEO, I use The SEO Framework.

Kind regards

• This reply was modified 5 years, 5 months ago by mbrsolution.