User enumeration still on

  • Resolved anderslinn

    (@anderslinn)


    4 years, 1 month ago

    So I scan my site with WP Scan and i get these results from
    wpscan –url https://mysite.url/ –enumerate u

    username1
    | Found By: Author Posts – Author Pattern (Passive Detection)
    | Confirmed By: Wp Json Api (Aggressive Detection)
    | – https://mysite.url/wp-json/wp/v2/users/?per_page=100&page=1

    [+] username2
    | Found By: Author Posts – Author Pattern (Passive Detection)
    | Confirmed By: Wp Json Api (Aggressive Detection)
    | – https://mysite.url/wp-json/wp/v2/users/?per_page=100&page=1

    [+] showed display name2
    | Found By: Rss Generator (Aggressive Detection)

    [+] showed display name1
    | Found By: Rss Generator (Aggressive Detection)

    I have stop user enumerating and Disable feeds turned on in the hardening tab (together with everything else there).
    Any ideas why it doesn’t work or a solution?

    • This topic was modified 4 years, 1 month ago by anderslinn.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author gioni

    (@gioni)

    Hi!

    1. You have to enable “Block access to users’ data via REST API”.
    2. See #4 here: https://wpcerber.com/quickhelp/

    Thread Starter anderslinn

    (@anderslinn)

    Thanks for the answer , I had that but the issue was simple my ip is whitelisted so no surprise it didnt block enumeration.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘User enumeration still on’ is closed to new replies.