Good morning.
It is great to see the community helping out, this is the way the opensource project is meant to work. Thanks @m0ze
mOze is exactly right in terms of links, in that WP has by default an author archive and that is often ( depending on theme ) linked to by on post meta. unfortunately the author archive exposes the underlying user name e.g. example.com/author/fred
So a hacker can manually, or through link scraping, also find the user name.
This plugin looks at a specific attack vector – used by automated hacking tools – user enumeration, where an attacker can simple loop through numbers e.g. example.com?author=1
example.com?author=2
etc
When I built this plugin some 8 years ago the intention was totally (as it can today) link it to Fail2Ban so when an automated tool tries user enumeration technique, the IP is banned and hence stopping the tool in its tracks.
Since I built this plugin, other security tools, including WordFence ( which at one time has my exact code line by line – its GPL so thats OK – attribution would have been nice though ) started stopping user enumeration and so the hackers had to use different techniques.
The tool is still valid today against user enumeration, but is has less effect as it doesn’t try and stop other techniques that hackers have developed.
As well as link scraping, one common way of obtaining the user name is via the XML feed. However this is only because many people don’t bother to fill in the user details so if you just create a user without a first name that is different from the user name the ‘Display Name’ is the user name. Having ‘Display Name’ as user name is very common and a great way for automated tools to guess user names.
So go check you Display Names are different to user names.
One day I might write some code to check / enforce display name / nick name / user names are different. As it is open source, if anyone want to contribute code please feel free.
