{"id":42962,"date":"2016-04-04T16:11:30","date_gmt":"2016-04-04T16:11:30","guid":{"rendered":"https:\/\/wordpress.org\/plugins-wp\/no-user-enumeration\/"},"modified":"2019-10-23T03:11:06","modified_gmt":"2019-10-23T03:11:06","slug":"no-user-enumeration","status":"publish","type":"plugin","link":"https:\/\/lmo.wordpress.org\/plugins\/no-user-enumeration\/","author":14898741,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"1.3.2","stable_tag":"1.3.2","tested":"5.2.24","requires":"2.9","requires_php":"","requires_plugins":"","header_name":"No User Enumeration","header_author":"Carlos Montiers Aguilera","header_description":"","assets_banners_color":"","last_updated":"2019-10-23 03:11:06","external_support_url":"","external_repository_url":"","donate_link":"#","header_plugin_uri":"","header_author_uri":"","rating":0,"author_block_rating":0,"active_installs":200,"downloads":4739,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":[],"upgrade_notice":{"":"<p>.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":0},"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0","1.1","1.2","1.3","1.3.1","1.3.2"],"block_files":[],"assets_screenshots":[],"screenshots":[],"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[600,46130,12936],"plugin_category":[],"plugin_contributors":[],"plugin_business_model":[],"class_list":["post-42962","plugin","type-plugin","status-publish","hentry","plugin_tags-security","plugin_tags-user-enumeration","plugin_tags-wpscan","plugin_committers-carlost800"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/no-user-enumeration.svg","icon_2x":false,"generated":true},"screenshots":[],"raw_content":"<!--section=description-->\n<p>In many WordPress installations is possible enumerate usernames through the author archives, using urls like this:<\/p>\n\n<p>http:\/\/wpsite\/?author=1<\/p>\n\n<p>http:\/\/wpsite\/?author=1\/<\/p>\n\n<p>http:\/\/wpsite\/?bypass=1&amp;author%00=1<\/p>\n\n<p>http:\/\/wpsite\/?author%00=%001<\/p>\n\n<p>http:\/\/wpsite\/?%61uthor=1<\/p>\n\n<p>And recently wordpress since 4.7 comes with a rest api integrated that allow list users:<\/p>\n\n<p>curl -s http:\/\/wpsite\/wp-json\/wp\/v2\/users\/\ncurl -s http:\/\/wpsite\/?rest_route=\/wp\/v2\/users\ncurl http:\/\/wpsite\/?_method=GET -d rest_route=\/wp\/v2\/users<\/p>\n\n<p>Know the username of a administrator is the half battle, now an attacker only need guest the password.\nThis plugin stop it.<\/p>\n\n<p>Also, is possible get usernames from the post entries.\nThis plugin, hide the name of the author in a post entry if he is not using a nickname.\nAlso, hide the url page link of an administrator author.<\/p>\n\n<p>The main goal is hide the administrators usernames.\nObviously, is better not choose \"admin\" as the username because is easiliy guessable.<\/p>\n\n<!--section=installation-->\n<ol>\n<li>Upload <code>no-user-enumeration<\/code> to the <code>\/wp-content\/plugins\/<\/code> directory<\/li>\n<li>Activate the plugin through the 'Plugins' menu in WordPress<\/li>\n<\/ol>\n\n<!--section=faq-->\n<p>.<\/p>\n\n<!--section=changelog-->\n<h4>1.3.2<\/h4>\n\n<ul>\n<li>Using WP_DEBUG not emit undefined index notice.<\/li>\n<\/ul>\n\n<h4>1.3.1<\/h4>\n\n<ul>\n<li>Minor changes.<\/li>\n<\/ul>\n\n<h4>1.3<\/h4>\n\n<ul>\n<li>Fix bypass protection using this: curl http:\/\/wpsite\/?_method=GET -d rest_route=\/wp\/v2\/users<\/li>\n<\/ul>\n\n<h4>1.2<\/h4>\n\n<ul>\n<li>Disallow list users using the rest api.<\/li>\n<li>Compatibility with plugin WP All Import.<\/li>\n<\/ul>\n\n<h4>1.1<\/h4>\n\n<ul>\n<li>Hide admin usernames in post replies. Improved security.<\/li>\n<\/ul>\n\n<h4>1.0<\/h4>\n\n<ul>\n<li>First version.<\/li>\n<\/ul>","raw_excerpt":"Stop user enumeration for security.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/42962","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=42962"}],"author":[{"embeddable":true,"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/carlost800"}],"wp:attachment":[{"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=42962"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=42962"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=42962"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=42962"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=42962"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/lmo.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=42962"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}