內容簡介
WP Author Security是一款輕量但功能強大的外掛,可以保護作者頁面和其他可以獲取有效用戶名稱的地方,以防止用戶枚舉攻擊。
默認情況下,WordPress會在作者頁面上顯示一些敏感信息。
通常,可以通過請求URI https://yourdomain.tld/?author=<id>或固定連結https://yourdomain.tld/author/<username>來調用作者頁面。
該頁面將包括(取決於您的佈景主題)作者的全名(名和姓)以及用於登錄WordPress的用戶名。
在某些情況下,不希望向公眾公開這些信息。攻擊者能夠暴力破解有效的ID或有效的用戶名。這些信息可能會用於進一步的攻擊,例如社交工程攻擊或利用獲得的用戶名進行登錄暴力攻擊。
然而,當使用這個外掛並完全禁用作者頁面時,必須注意,您需要注意活動佈景主題不會像「由管理員發布」之類的帖子中直接顯示作者姓名。這是外掛(當下)無法處理的事情。
通過使用這個外掛,您可以完全禁用作者頁面,或者僅在作者至少有一篇發表的帖子時顯示它們。禁用該頁面時,將顯示活動佈景主題的默認404錯誤頁面。
此外,外掛還會保護其他攻擊者常用於獲取有效用戶名的位置。這些位置包括:
用戶的REST API,其中默認會列出所有有發布帖子的用戶。
https://yourdomain.tld/wp-json/wp/v2/users
登錄頁面,不同的錯誤消息將指示輸入的用戶名或電子郵件地址是否存在。該插件將獨立於用戶名是否存在而顯示中性的錯誤消息。
忘記密碼功能也會允許攻擊者檢查用戶是否存在。與登錄頁面一樣,該插件將顯示中性消息,即使該用戶不存在也是如此。
請求博客的feed終端點/ feed也將允許他人查看作者的用戶名或顯示名。該插件將從結果列表中刪除名稱。
WordPress支持所謂的oEmbeds,這是一種在另一篇帖子中嵌入對帖子的引用的技術。但是,該引用還包含作者姓名和指向個人資料頁面的直接鏈接。該插件也會刪除這裡的名稱和鏈接。
自WordPress 5.5以來,可以通過/wp-sitemap.xml到達默認網站地圖。此網站地圖將公開所有作者的用戶名。如果不希望公開這一點,可以禁用WordPress的此功能。
外掛標籤
開發者團隊
原文外掛簡介
WP Author Security is a lightweight but powerful plugin to protect against user enumeration attacks on author pages and other places where valid user names can be obtained.
By default, WordPress will display some sensitive information on author pages.
The author page is typically called by requesting the URI https://yourdomain.tld/?author=
The page will include (depending on your theme) the full name (first and last name) as well as the username of the author which is used to log in to WordPress.
In some cases, it is not wanted to expose this information to the public. An attacker is able to brute force valid IDs or valid usernames. This information might be used for further attacks like social engineering attacks or log in brute force attacks with gathered usernames.
However, when using the plugin and you disable author pages completely it must be noted that you need to take care that your active theme will not display the author name itself on posts like “Posted by admin” or something like that. This is something the plugin will not handle (at the moment).
By using the extension, you are able to disable the author pages either completely or display them only when the author has at least one published post. When the page is disabled the default 404 error page of the active theme is displayed.
In addition, the plugin will also protect other locations which are commonly used by attackers to gather valid user names. These are:
The REST API for users which will list all users with published posts by default.
https://yourdomain.tld/wp-json/wp/v2/users
The log in page where different error messages will indicate whether an entered user name or mail address exists or not. The plugin will display a neutral error message independently whether the user exists or not.
The password forgotten function will also allow an attacker to check for the existence of a user. As for the log in page the plugin will display a neutral message even when the user does not exists.
Requesting the feed endpoint /feed of your blog will also allow others to see the username or display name of the author. The plugin will remove the name from the result list.
WordPress supports so-called oEmbeds. This is a technique to embed a reference to a post into another post. However, this reference will also contain the author name and a direct link to the profile page. The plugin will also remove the name and link here.
Since WordPress 5.5 a default sitemap can be reached via /wp-sitemap.xml. This sitemap will disclose the usernames of all authors. If this should not be disclosed you are able to disable this feature of WordPress.
