Stop User Enumeration - Version 1.3.2

Version Description

  • Added donate link to plugin listing
Download this release

Release Info

Developer llocally
Plugin Icon 128x128 Stop User Enumeration
Version 1.3.2
Comparing to
See all releases

Code changes from version 1.3.1 to 1.3.2

Files changed (2) hide show
  1. readme.txt +93 -98
  2. stop-user-enumeration.php +67 -59
readme.txt CHANGED
@@ -1,104 +1,99 @@
1
- === Stop User Enumeration ===
2
- Contributors: fullworks
3
- Tags: User Enumeration, Security, WPSCAN, fail2ban
4
- Requires at least: 3.4
5
- Tested up to: 4.3.1
6
- Stable tag: 1.3.1
7
- License: GPLv2 or later
8
- License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
-
10
- User Enumeration is a method hackers and scanners use to get your username. This plugin stops it.
11
- == Description ==
12
- Even if you are careful and set your blogging nickname differently from your login id, if you are using permalinks it only takes a few seconds
13
- to discover your real user name. This plugin stops user enumeration dead (like in use by WPSCAN), and additionally it will log an event
14
- in your system log so you can use (optionally) fail2ban to block the probing IP.
15
- == Installation ==
16
-
17
- 1. Upload `plugin-name.php` to the `/wp-content/plugins/` directory
18
- 1. Activate the plugin through the 'Plugins' menu in WordPress
19
-
20
- == Frequently asked questions ==
21
-
22
- = Are there any settings? =
23
- No
24
- = Will it work on Multisite? =
25
- Yes
26
- = Do I need fail2ban for this to work? =
27
- No, but fail2ban will allow you to block IP addresses that attempt user enumeration.
28
- = What do I do with the fail2ban file?=
29
- Place the file wordpress-userenum.conf in your fail2ban installation's filter.d directory.
30
- edit your jail.local to include lines like
31
- `[wordpress-userenum]
32
- enabled = true
33
- filter = wordpress-userenumaction = iptables-allports[name=WORDPRESS-USERENUM]
34
- sendmail-whois-lines[name=WORDPRESS-USERENUM, dest=youremail@yourdomain, logpath=/var/log/messages]
35
- logpath = /var/log/messages
36
- maxretry = 1
37
- findtime = 600
38
- bantime = 2500000`
39
- Adjusted to your own requirements.
40
-
41
  == Changelog ==
42
- =
43
- = 1.3.0 =
44
-
45
- * minor descriptive change
46
- = 1.3.0 =
47
-
48
- * code improvement from Thomas van der Westen
49
-
50
- = 1.2.8 =
51
-
52
- * bug fix to allow comments to use author in url
53
-
54
- = 1.2.8 =
55
-
56
- * allow comments to use author in url
57
-
58
- = 1.2.7 =
59
-
60
- * bug fix to POST protection
61
-
62
- = 1.2.6 =
63
-
64
- * bug fix to POST protection
65
-
66
- = 1.2.5 =
67
-
68
- * Added protection against bypass using null bytes (thanks to vunerbality identification and solution by cvcrcky )
69
- * Added protection angainst POST bypass (thanks to vunerbaility identification by urbanadventurer and solution ideas from Ov3rfly and Malivuk )
70
-
71
-
72
- = 1.2.4 =
73
-
74
- * Added code to check whether not admin (to stop admin features failing) and changed trailing slash code to trap situation where not posts are found and user is displayed in title
75
-
76
-
77
  = 1.2.3 =
78
-
79
-
80
- * Fixed bug that stopped export in admin
81
-
82
- = 1.2.2 =
83
-
84
- * Added code to stop bypassing the check when a trailing slash is added
85
-
86
- = 1.2.1 =
87
- * minor change to handle a specific php issue with a certain version
88
-
89
 
90
 
91
  = 1.1 =
92
-
93
  * added close log
94
- * corrected call to wp die
95
-
96
- = 1.0 =
97
- * first release
98
-
99
- == Upgrade notice ==
100
-
101
-
102
-
103
-
104
-
1
+ === Stop User Enumeration ===
2
+ Contributors: fullworks
3
+ Tags: User Enumeration, Security, WPSCAN, fail2ban
4
+ Requires at least: 3.4
5
+ Tested up to: 4.3.1
6
+ Stable tag: 1.3.2
7
+ License: GPLv2 or later
8
+ License URI: http://www.gnu.org/licenses/gpl-2.0.html
9
+
10
+ User Enumeration is a method hackers and scanners use to get your username. This plugin stops it.
11
+ == Description ==
12
+ Even if you are careful and set your blogging nickname differently from your login id, if you are using permalinks it only takes a few seconds
13
+ to discover your real user name. This plugin stops user enumeration dead (like in use by WPSCAN), and additionally it will log an event
14
+ in your system log so you can use (optionally) fail2ban to block the probing IP.
15
+ == Installation ==
16
+
17
+ 1. Upload `plugin-name.php` to the `/wp-content/plugins/` directory
18
+ 1. Activate the plugin through the 'Plugins' menu in WordPress
19
+
20
+ == Frequently asked questions ==
21
+
22
+ = Are there any settings? =
23
+ No
24
+ = Will it work on Multisite? =
25
+ Yes
26
+ = Do I need fail2ban for this to work? =
27
+ No, but fail2ban will allow you to block IP addresses that attempt user enumeration.
28
+ = What do I do with the fail2ban file?=
29
+ Place the file wordpress-userenum.conf in your fail2ban installation's filter.d directory.
30
+ edit your jail.local to include lines like
31
+ `[wordpress-userenum]
32
+ enabled = true
33
+ filter = wordpress-userenumaction = iptables-allports[name=WORDPRESS-USERENUM]
34
+ sendmail-whois-lines[name=WORDPRESS-USERENUM, dest=youremail@yourdomain, logpath=/var/log/messages]
35
+ logpath = /var/log/messages
36
+ maxretry = 1
37
+ findtime = 600
38
+ bantime = 2500000`
39
+ Adjusted to your own requirements.
40
+
41
  == Changelog ==
42
+ =
43
+ = 1.3.2 =
44
+
45
+ * Added donate link to plugin listing
46
+ = 1.3.1 =
47
+
48
+ * code improvement from Thomas van der Westen
49
+
50
+ = 1.2.8 =
51
+
52
+ * bug fix to allow comments to use author in url
53
+
54
+ = 1.2.8 =
55
+
56
+ * allow comments to use author in url
57
+
58
+ = 1.2.7 =
59
+
60
+ * bug fix to POST protection
61
+
62
+ = 1.2.6 =
63
+
64
+ * bug fix to POST protection
65
+
66
+ = 1.2.5 =
67
+
68
+ * Added protection against bypass using null bytes (thanks to vunerbality identification and solution by cvcrcky )
69
+ * Added protection angainst POST bypass (thanks to vunerbaility identification by urbanadventurer and solution ideas from Ov3rfly and Malivuk )
70
+
71
+
72
+ = 1.2.4 =
73
+
74
+ * Added code to check whether not admin (to stop admin features failing) and changed trailing slash code to trap situation where not posts are found and user is displayed in title
75
+
76
+
77
  = 1.2.3 =
78
+
79
+
80
+ * Fixed bug that stopped export in admin
81
+
82
+ = 1.2.2 =
83
+
84
+ * Added code to stop bypassing the check when a trailing slash is added
85
+
86
+ = 1.2.1 =
87
+ * minor change to handle a specific php issue with a certain version
88
+
89
 
90
 
91
  = 1.1 =
92
+
93
  * added close log
94
+ * corrected call to wp die
95
+
96
+ = 1.0 =
97
+ * first release
98
+
99
+ == Upgrade notice ==
 
 
 
 
 
stop-user-enumeration.php CHANGED
@@ -1,59 +1,67 @@
1
- <?php
2
- /*
3
- Plugin Name: Stop User Enumeration
4
- Plugin URI: http://locally.uk/wordpress-plugins/stop-user-enumeration/
5
- Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
6
- Version: 1.3.1
7
- Author: Locally Digital Ltd
8
- Author URI: http://locally.uk
9
- License: GPLv2 or later
10
- */
11
-
12
- /*
13
- This program is free software; you can redistribute it and/or
14
- modify it under the terms of the GNU General Public License
15
- as published by the Free Software Foundation; either version 2
16
- of the License, or (at your option) any later version.
17
-
18
- This program is distributed in the hope that it will be useful,
19
- but WITHOUT ANY WARRANTY; without even the implied warranty of
20
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21
- GNU General Public License for more details.
22
-
23
- You should have received a copy of the GNU General Public License
24
- along with this program; if not, write to the Free Software
25
- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26
- */
27
-
28
- if ( ! is_admin()){
29
- if ( ! is_admin()){
30
- if(preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0 ) {
31
- if (!empty($_POST['author'])) {
32
- ll_kill_enumeration();
33
- }
34
- }
35
-
36
- if(preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING']) === 1)
37
- ll_kill_enumeration();
38
-
39
- add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
40
- }
41
- }
42
-
43
- add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
44
- function ll_detect_enumeration ($redirect_url, $requested_url) {
45
- if (preg_match('/\?author(%00[0%]*)?=([0-9]*)(\/*)/', $requested_url)===1 | ($_POST['author'])) {
46
- ll_kill_enumeration();
47
- } else {
48
- return $redirect_url;
49
- }
50
- }
51
-
52
- function ll_kill_enumeration() {
53
- openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH);
54
- syslog(LOG_INFO,"Attempted user enumeration from {$_SERVER['REMOTE_ADDR']}");
55
- closelog();
56
- wp_die('forbidden');
57
- }
58
-
59
- ?>
 
 
 
 
 
 
 
 
1
+ <?php
2
+ /*
3
+ Plugin Name: Stop User Enumeration
4
+ Plugin URI: http://locally.uk/wordpress-plugins/stop-user-enumeration/
5
+ Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
6
+ Version: 1.3.2
7
+ Author: Locally Digital Ltd
8
+ Author URI: http://locally.uk
9
+ License: GPLv2 or later
10
+ */
11
+
12
+ /*
13
+ This program is free software; you can redistribute it and/or
14
+ modify it under the terms of the GNU General Public License
15
+ as published by the Free Software Foundation; either version 2
16
+ of the License, or (at your option) any later version.
17
+
18
+ This program is distributed in the hope that it will be useful,
19
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
20
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21
+ GNU General Public License for more details.
22
+
23
+ You should have received a copy of the GNU General Public License
24
+ along with this program; if not, write to the Free Software
25
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
26
+ */
27
+
28
+ if ( ! is_admin()){
29
+ if ( ! is_admin()){
30
+ if(preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0 ) {
31
+ if (!empty($_POST['author'])) {
32
+ ll_kill_enumeration();
33
+ }
34
+ }
35
+
36
+ if(preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING']) === 1)
37
+ ll_kill_enumeration();
38
+
39
+ add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
40
+ }
41
+ }
42
+
43
+ add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
44
+ function ll_detect_enumeration ($redirect_url, $requested_url) {
45
+ if (preg_match('/\?author(%00[0%]*)?=([0-9]*)(\/*)/', $requested_url)===1 | ($_POST['author'])) {
46
+ ll_kill_enumeration();
47
+ } else {
48
+ return $redirect_url;
49
+ }
50
+ }
51
+
52
+ function ll_kill_enumeration() {
53
+ openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH);
54
+ syslog(LOG_INFO,"Attempted user enumeration from {$_SERVER['REMOTE_ADDR']}");
55
+ closelog();
56
+ wp_die('forbidden');
57
+ }
58
+ add_action('plugin_row_meta', 'sue_plugin_row_meta', 10, 2 );
59
+
60
+ function sue_plugin_row_meta( $links, $file = '' ){
61
+ if( false !== strpos($file , '/stop-user-enumeration.php') ){
62
+ $links[] = '<a target="_blank" href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=4EMTVFMKXRRYY"><strong>Donate</strong></a>';
63
+ }
64
+ return $links;
65
+ }
66
+
67
+ ?>