內容簡介
防止使用者名稱的列舉及其他類型的使用者名稱和電子郵件外洩。
具體執行以下操作:
1. 當網站設置為使用漂亮的永久連結時,該外掛將阻止
自動重新導向文本包含使用者ID的網址,如example.com/?author=1,至
類似example.com/author/admin的頁面。這會洩露使用者admin的存在,
可以進一步用於暴力攻擊。
(這也被稱為“使用者列舉”)。
使用REST API僅限管理員使用者名稱相關信息(實際使用者名稱
和使用者文章頁面URL)。
在登錄頁面上防止驗證失敗通知,以公開
顯示不同信息導致使用者名稱/使用者電子郵件的存在被顯示出來,
當使用者名稱/電子郵件不正確時和當密碼不正確時顯示不同的訊息。
只顯示相同的失敗訊息。
防止重置密碼機制揭露使用者名稱/使用者電子郵件,
由於在DB中顯示了不同信息而顯示出不同的訊息,在需要重置的使用者/電子郵件存在時,
當它不存在時。只顯示相同的訊息。
即使使用該外掛,如果您的佈景主題在鏈接時顯示作者資訊,
那仍然可能會用於使用者名稱外洩。 在這種情況下,您應該
考慮使用像https://wordpress.org/plugins/authors-as-taxonomy/這樣的外掛
完全分離使用者和作者資訊。
該外掛無法處理使用gravatar時的外洩,
因為這需要更換gravatar功能本身,
且比其他漏洞難以利用。
最後,目前沒有涵蓋的濃縮洞穴,但可能在未來涵蓋,
是通過登錄過程進行的信息外洩。由於大多數安裝不允許人們登錄,因此我們將其留待以後處理。
有關外掛的更多信息,請參閱其主頁https://calmpress.org/wordpress-plugins/prevent-user-name-and-email-leakage/
文檔
貢獻
歡迎提交拉取請求、錯誤報告和/或增強建議https://github.com/calmPress/Authors-as-taxonomy
外掛標籤
開發者團隊
② 後台搜尋「Prevent user name and email leakage」→ 直接安裝(推薦)
原文外掛簡介
Stops user name enumeration and other type of user name and email leakages.
Specifically does the following:
1. When the site is configured to use pretty permalinks, the plugin will prevent
the automatic redirect of usrl which include user ID, like example.com/?author=1, to
something like example.com/author/admin which will leak the existence of a user
named admin which can be used in further brute force attacks.
(This is also know as “user enumeration”).
With the REST API restrict user name related information (actual user name
and user posts page URL) to only admin users.
Preventing authentication failure notices on the login page to disclose
the existence of user names/user emails resulting from displaying different
messages hen the user is incorrect and when the password is incorrect. Just
display the same failure message for whatever is the failure reason.
Preventing the reset password mechanism from disclosing user names/user emails
resulting from displaying different messages when a user/email for which a reset
is requested exist in the DB, and when it does not. Just display the same message
for both.
Even with the plugin active, if your theme displays author information while linking
to author pages this can be used for user name leakage. In this case you should
think about totally decoupling user and author information with plugins like
Another thing that the plugin do not do is to handle leakage resulting from the use
of gravatar, as this requires a replacement of gravatar functionality itself and
it is much harder to exploit than the other leakages.
And last leakage hole not covered right now, but might be covered in the future,
is leakage of information via the sign in process. We leave it for later as most
installs do not allow people to sign in.
Read more on the plugins main page https://calmpress.org/wordpress-plugins/prevent-user-name-and-email-leakage/
Documentation
Contribute
Pull Requests, bug reports and/or enhancement suggestions are welcome at https://github.com/calmPress/Authors-as-taxonomy
