內容簡介
Stop User Enumeration 是一款安全插件,旨在檢測和防止黑客掃描您的網站以查找用戶登錄名稱。
用戶枚舉是一種攻擊方式,邪惡的人可以探測您的網站並發現您的登錄名稱。這通常是暴力破解密碼攻擊的先導。Stop User Enumeration 幫助阻止此初始攻擊,並使您能夠記錄發起這些攻擊的 IP,以便在將來阻止更多的攻擊。
像 WPSCAN 這樣的工具是為道德駭客使用而設計的,它們會努力尋找用戶登錄名稱。道德駭客會先請求許可,這個插件旨在減少未經許可時使用的工具,並在與 fail2ban 一起使用時可以在防火牆上阻止這些攻擊的嘗試。
如果您正在使用 VPS 或獨立服務器,由於攻擊 IP 被記錄下來,您可以使用(可選的額外配置)fail2ban 直接在您的服務器防火牆上阻止攻擊,這是 VPS 擁有者阻止暴力破解攻擊及 DDoS 攻擊的強大解決方案。
如果您無法安裝 fail2ban(例如共享主機上),仍然可以使用此插件。
該插件可以阻止 oEmbed API 調用洩漏用戶 ID。
自 WordPress 4.5 以來,也可以通過 API 調用獲取用戶數據,這是 WordPress 的一個功能,但是如果您不需要它來獲取用戶數據,此插件可以限制並記錄它。
自 WordPress 5.5 以來,核心 WP 生成站點地圖(wp-sitemap.xml),其中包括公開用戶 ID 的用戶/作者站點地圖。您可以在插件設置中啟用/禁用此選項。
與 PHP 8.0 兼容
在 PHP 8 上進行測試
特點包括
阻止 GET 或 POST 的用戶枚舉請求
系統記錄阻止的信息,以便可以使用 Fail2Ban 阻止 IP
可選地阻止非授權用戶的 REST API 用戶請求
可選地刪除作者站點地圖
可選地從 OEMBED 中刪除作者
可選地從評論作者中刪除數字
外掛標籤
開發者團隊
📦 歷史版本下載
原文外掛簡介
Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user login names.
User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this initial attack and allows you to log IPs launching these attacks to block further attacks in the future.
Tools like WPSCAN are designed for use by ethical hackers and make efforts to find user login names. Ethical hackers ask permission first, this plugin is designed to reduce the tools when used without permission and when used in conjunction with fail2ban can block those attempts at the firewall.
If you are on a VPS or dedicated server, as the attack IP is logged, you can use (optional additional configuration) fail2ban to block the attack directly at your server’s firewall, a very powerful solution for VPS owners to stop brute force attacks as well as DDoS attacks.
If you don’t have access to install fail2ban ( e.g. on a Shared Host ) you can still use this plugin.
The plugin can stop the user id being leaked by the oEmbed API call.
Since WordPress 4.5 user data can also be obtained by API calls without logging in, this is a WordPress feature, but if you don’t need it to get user data, this
plugin will restrict and log that too.
Since WordPress 5.5 sitemaps are generated by core WP ( wp-sitemap.xml ) which includes a user/author sitemap that exposes the user id. You can enable / disable this in the plugin settings.
PHP 8.4 compatible
Tested on PHP 8.4
Features Include
Blocks user enumeration requests by GET or POST
Syslogs a block so Fail2Ban can be used to block an IP
Optionally blocks REST API user requests for non authorized users
Optionally removes author sitemap
Optionally removes author from OEMBED
Optionally removes numbers from comment authors
Privacy
This plugin includes an optional email feature for plugin news and updates. When enabled:
Your email address may be sent to https://fullworksplugins.com for important plugin updates and security notices
This is completely optional and requires your explicit consent via the opt-in form in the plugin settings
No data is collected or transmitted without your permission
You can opt-out at any time from the plugin settings
No other personal data is collected or transmitted to external services
The plugin logs attempted user enumeration attacks locally using WordPress’s standard logging system:
* IP addresses of potential attackers are logged locally for security monitoring
* These logs remain on your server and are not transmitted to any external service
* Logs can be used with fail2ban or similar tools for enhanced security
For more information about data handling, please visit https://fullworksplugins.com/privacy-policy/
