Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user login names.
User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this initial attack and allows you to log IPs launching these attacks to block further attacks in the future.
Tools like WPSCAN are designed for use by ethical hackers and make efforts to find user login names. Ethical hackers ask permission first, this plugin is designed to reduce the tools when used without permission and when used in conjunction with fail2ban can block those attempts at the firewall.
If you are on a VPS or dedicated server, as the attack IP is logged, you can use (optional additional configuration) fail2ban to block the attack directly at your server's firewall, a very powerful solution for VPS owners to stop brute force attacks as well as DDoS attacks.
If you don't have access to install fail2ban ( e.g. on a Shared Host ) you can still use this plugin.
The plugin can stop the user id being leaked by the oEmbed API call.
Since WordPress 4.5 user data can also be obtained by API calls without logging in, this is a WordPress feature, but if you don't need it to get user data, this plugin will restrict and log that too.
Since WordPress 5.5 sitemaps are generated by core WP ( wp-sitemap.xml ) which includes a user/author sitemap that exposes the user id. You can enable / disable this in the plugin settings.
PHP 8.0 compatible
Tested on PHP 8
Features Include
- Blocks user enumeration requests by GET or POST
- Syslogs a block so Fail2Ban can be used to block an IP
- Optionally blocks REST API user requests for non authorized users
- Optionally removes author sitemap
- Optionally removes author from OEMBED
- Optionally removes numbers from comment authors
Releases (51 )
Version | Release Date | Change Log |
---|---|---|
1.4.5 | 2022-08-12 |
|
1.4.4 | 2022-03-17 | |
1.4.3 | 2022-01-25 |
|
1.4.2 | 2022-01-24 |
|
1.4.1 | 2022-01-22 |
|
1.4.0 | 2021-12-02 |
|
1.3.33 | 2021-08-29 | |
1.3.32 | 2021-08-06 |
|
1.3.31 | 2021-07-12 | = 1.3.30 = Upgrade to version 1.3.30 to disable author site maps - you will need to enable in settings (closes issue #6) |
1.3.30 | 2021-07-02 | Upgrade to version 1.3.30 to disable author site maps - you will need to enable in settings (closes issue #6) = |
1.3.29 | 2020-12-04 |
|
1.3.28 | 2020-11-17 | |
1.3.27 | 2020-10-09 |
|
1.3.26 | 2020-09-09 |
|
1.3.25 | 2019-12-10 |
|
1.3.24 | 2019-11-13 |
|
1.3.23 | 2019-10-07 |
|
1.3.22 | 2019-07-04 |
|
1.3.20 | 2019-02-27 |
|
1.3.19 | 2019-02-25 |
|
1.3.18 | 2018-12-07 |
|
1.3.17 | 2018-08-29 |
|
1.3.16 | 2018-07-06 |
|
1.3.15 | 2018-01-23 |
|
1.3.14 | 2017-11-17 |
|
1.3.13 | 2017-11-14 |
|
1.3.12 | 2017-09-27 |
|
1.3.11 | 2017-09-27 |
|
1.3.10 | 2017-08-30 | Fixed unused javascript & css in settings page |
1.3.9 | 2017-07-19 | Added language settings to allow translation. Sanitized text being written to syslog Closed potential REST API bypass |
1.3.8 | 2017-06-13 | Security fix to stop XSS exploit Also coded so should work with PHP 5.3 - although PHP 5.3. has been end of life for over two years it seems some hosts still use this. This is a security risk in its own right and sites using PHP 5.3 should try to upgrade to a supported version of PHP, but this change is for backward compatibility. |
1.3.7 | 2017-01-05 | Fix to allow deprecated PHP Version 5.4 to work, as 5.4 seems to still be in common use despite end of life Note this code wont work on PHP 5.3 |
1.3.6 | 2017-01-04 | Fix PHP error |
1.3.5 | 2017-01-03 |
|
1.3.4 | 2016-04-09 |
|
1.3.3 | 2015-10-13 |
|
1.3.2 | 2015-10-11 |
|
1.3.1 | 2015-10-03 | |
1.3.0 | 2014-11-19 |
|
1.2.9 | 2014-10-03 | |
1.2.8 | 2014-08-25 |
|
1.2.7 | 2014-08-25 |
|
1.2.6 | 2014-08-25 | |
1.2.5 | 2014-07-31 |
|
1.2.4 | 2014-04-17 |
|
1.2.3 | 2013-12-02 | Fixed bug that stopped export |
1.2.2 | 2013-11-22 | Added code to stop bypassing the check when a trailing slash is added |
1.2.1 | 2013-10-26 |
|
1.2 | 2013-10-26 |
|
1.1 | 2013-10-26 |
|
1.0 | 2013-10-25 |
= |