Logging blocked enumeration attempts with a different status code

  • Resolved malimart

    (@malimart)


    7 months ago

    I have installed your plugin on one of my WordPress websites, and it has been working wonderfully. However, I’ve encountered a minor issue that I wanted to bring to your attention.

    I monitor my server’s status using Grafana, and recently, I noticed a significant increase in 500 Internal Server Errors on the server hosting my WordPress site. After investigating the Apache logs, I discovered that there wasn’t actually a problem with the server itself. Instead, a bot was repeatedly trying to perform user enumeration by sending requests with ?author=ID.

    While Stop User Enumeration successfully blocked these attempts, it logged them as internal server errors, which is somewhat misleading. I believe this behavior might be related to the following function:

            public function check_request() {
                    /*
                    * Validate incoming request
                     *
                     */
                    /* phpcs:ignore WordPress.Security.NonceVerification  -- not saved just checking the request */
                    if ( ! is_user_logged_in() && isset( $_REQUEST['author'] ) ) {
                            /* phpcs:ignore WordPress.Security.NonceVerification  -- not saved just checking the request */
                            $author = sanitize_text_field( wp_unslash( $_REQUEST['author'] ) );
                            /* phpcs:ignore WordPress.Security.NonceVerification -- not saved just checking the request */
                            if ( $this->ContainsNumbers( $author ) ) {
                                    $this->sue_log();
                                    /* phpcs:ignore WordPress.Security.NonceVerification  -- not saved just logging the request, not form input so no unslash*/
                                    wp_die( esc_html__( 'forbidden - number in author name not allowed = ', 'stop-user-enumeration' ) . esc_html( $author ) );
                            }
                    }
            }

    The function wp_die by default returns a 500 error. Do you think it would be more appropriate if it instead returned a 403 forbidden status? Something like:

    wp_die(
    esc_html__( 'forbidden - number in author name not allowed = ', 'stop-user-enumeration' ) . esc_html( $author ),
    esc_html__( 'Forbidden', 'stop-user-enumeration' ),
    array( 'response' => 403 )
    );
Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Logging blocked enumeration attempts with a different status code’ is closed to new replies.