Version Description
- Added donate link to plugin listing
Download this release
Release Info
Developer | llocally |
Plugin | Stop User Enumeration |
Version | 1.3.2 |
Comparing to | |
See all releases |
Code changes from version 1.3.1 to 1.3.2
- readme.txt +93 -98
- stop-user-enumeration.php +67 -59
readme.txt
CHANGED
@@ -1,104 +1,99 @@
|
|
1 |
-
=== Stop User Enumeration ===
|
2 |
-
Contributors: fullworks
|
3 |
-
Tags: User Enumeration, Security, WPSCAN, fail2ban
|
4 |
-
Requires at least: 3.4
|
5 |
-
Tested up to: 4.3.1
|
6 |
-
Stable tag: 1.3.
|
7 |
-
License: GPLv2 or later
|
8 |
-
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
9 |
-
|
10 |
-
User Enumeration is a method hackers and scanners use to get your username. This plugin stops it.
|
11 |
-
== Description ==
|
12 |
-
Even if you are careful and set your blogging nickname differently from your login id, if you are using permalinks it only takes a few seconds
|
13 |
-
to discover your real user name. This plugin stops user enumeration dead (like in use by WPSCAN), and additionally it will log an event
|
14 |
-
in your system log so you can use (optionally) fail2ban to block the probing IP.
|
15 |
-
== Installation ==
|
16 |
-
|
17 |
-
1. Upload `plugin-name.php` to the `/wp-content/plugins/` directory
|
18 |
-
1. Activate the plugin through the 'Plugins' menu in WordPress
|
19 |
-
|
20 |
-
== Frequently asked questions ==
|
21 |
-
|
22 |
-
= Are there any settings? =
|
23 |
-
No
|
24 |
-
= Will it work on Multisite? =
|
25 |
-
Yes
|
26 |
-
= Do I need fail2ban for this to work? =
|
27 |
-
No, but fail2ban will allow you to block IP addresses that attempt user enumeration.
|
28 |
-
= What do I do with the fail2ban file?=
|
29 |
-
Place the file wordpress-userenum.conf in your fail2ban installation's filter.d directory.
|
30 |
-
edit your jail.local to include lines like
|
31 |
-
`[wordpress-userenum]
|
32 |
-
enabled = true
|
33 |
-
filter = wordpress-userenumaction = iptables-allports[name=WORDPRESS-USERENUM]
|
34 |
-
sendmail-whois-lines[name=WORDPRESS-USERENUM, dest=youremail@yourdomain, logpath=/var/log/messages]
|
35 |
-
logpath = /var/log/messages
|
36 |
-
maxretry = 1
|
37 |
-
findtime = 600
|
38 |
-
bantime = 2500000`
|
39 |
-
Adjusted to your own requirements.
|
40 |
-
|
41 |
== Changelog ==
|
42 |
-
=
|
43 |
-
= 1.3.
|
44 |
-
|
45 |
-
*
|
46 |
-
= 1.3.
|
47 |
-
|
48 |
-
* code improvement from Thomas van der Westen
|
49 |
-
|
50 |
-
= 1.2.8 =
|
51 |
-
|
52 |
-
* bug fix to allow comments to use author in url
|
53 |
-
|
54 |
-
= 1.2.8 =
|
55 |
-
|
56 |
-
* allow comments to use author in url
|
57 |
-
|
58 |
-
= 1.2.7 =
|
59 |
-
|
60 |
-
* bug fix to POST protection
|
61 |
-
|
62 |
-
= 1.2.6 =
|
63 |
-
|
64 |
-
* bug fix to POST protection
|
65 |
-
|
66 |
-
= 1.2.5 =
|
67 |
-
|
68 |
-
* Added protection against bypass using null bytes (thanks to vunerbality identification and solution by cvcrcky )
|
69 |
-
* Added protection angainst POST bypass (thanks to vunerbaility identification by urbanadventurer and solution ideas from Ov3rfly and Malivuk )
|
70 |
-
|
71 |
-
|
72 |
-
= 1.2.4 =
|
73 |
-
|
74 |
-
* Added code to check whether not admin (to stop admin features failing) and changed trailing slash code to trap situation where not posts are found and user is displayed in title
|
75 |
-
|
76 |
-
|
77 |
= 1.2.3 =
|
78 |
-
|
79 |
-
|
80 |
-
* Fixed bug that stopped export in admin
|
81 |
-
|
82 |
-
= 1.2.2 =
|
83 |
-
|
84 |
-
* Added code to stop bypassing the check when a trailing slash is added
|
85 |
-
|
86 |
-
= 1.2.1 =
|
87 |
-
* minor change to handle a specific php issue with a certain version
|
88 |
-
|
89 |
|
90 |
|
91 |
= 1.1 =
|
92 |
-
|
93 |
* added close log
|
94 |
-
* corrected call to wp die
|
95 |
-
|
96 |
-
= 1.0 =
|
97 |
-
* first release
|
98 |
-
|
99 |
-
== Upgrade notice ==
|
100 |
-
|
101 |
-
|
102 |
-
|
103 |
-
|
104 |
-
|
1 |
+
=== Stop User Enumeration ===
|
2 |
+
Contributors: fullworks
|
3 |
+
Tags: User Enumeration, Security, WPSCAN, fail2ban
|
4 |
+
Requires at least: 3.4
|
5 |
+
Tested up to: 4.3.1
|
6 |
+
Stable tag: 1.3.2
|
7 |
+
License: GPLv2 or later
|
8 |
+
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
9 |
+
|
10 |
+
User Enumeration is a method hackers and scanners use to get your username. This plugin stops it.
|
11 |
+
== Description ==
|
12 |
+
Even if you are careful and set your blogging nickname differently from your login id, if you are using permalinks it only takes a few seconds
|
13 |
+
to discover your real user name. This plugin stops user enumeration dead (like in use by WPSCAN), and additionally it will log an event
|
14 |
+
in your system log so you can use (optionally) fail2ban to block the probing IP.
|
15 |
+
== Installation ==
|
16 |
+
|
17 |
+
1. Upload `plugin-name.php` to the `/wp-content/plugins/` directory
|
18 |
+
1. Activate the plugin through the 'Plugins' menu in WordPress
|
19 |
+
|
20 |
+
== Frequently asked questions ==
|
21 |
+
|
22 |
+
= Are there any settings? =
|
23 |
+
No
|
24 |
+
= Will it work on Multisite? =
|
25 |
+
Yes
|
26 |
+
= Do I need fail2ban for this to work? =
|
27 |
+
No, but fail2ban will allow you to block IP addresses that attempt user enumeration.
|
28 |
+
= What do I do with the fail2ban file?=
|
29 |
+
Place the file wordpress-userenum.conf in your fail2ban installation's filter.d directory.
|
30 |
+
edit your jail.local to include lines like
|
31 |
+
`[wordpress-userenum]
|
32 |
+
enabled = true
|
33 |
+
filter = wordpress-userenumaction = iptables-allports[name=WORDPRESS-USERENUM]
|
34 |
+
sendmail-whois-lines[name=WORDPRESS-USERENUM, dest=youremail@yourdomain, logpath=/var/log/messages]
|
35 |
+
logpath = /var/log/messages
|
36 |
+
maxretry = 1
|
37 |
+
findtime = 600
|
38 |
+
bantime = 2500000`
|
39 |
+
Adjusted to your own requirements.
|
40 |
+
|
41 |
== Changelog ==
|
42 |
+
=
|
43 |
+
= 1.3.2 =
|
44 |
+
|
45 |
+
* Added donate link to plugin listing
|
46 |
+
= 1.3.1 =
|
47 |
+
|
48 |
+
* code improvement from Thomas van der Westen
|
49 |
+
|
50 |
+
= 1.2.8 =
|
51 |
+
|
52 |
+
* bug fix to allow comments to use author in url
|
53 |
+
|
54 |
+
= 1.2.8 =
|
55 |
+
|
56 |
+
* allow comments to use author in url
|
57 |
+
|
58 |
+
= 1.2.7 =
|
59 |
+
|
60 |
+
* bug fix to POST protection
|
61 |
+
|
62 |
+
= 1.2.6 =
|
63 |
+
|
64 |
+
* bug fix to POST protection
|
65 |
+
|
66 |
+
= 1.2.5 =
|
67 |
+
|
68 |
+
* Added protection against bypass using null bytes (thanks to vunerbality identification and solution by cvcrcky )
|
69 |
+
* Added protection angainst POST bypass (thanks to vunerbaility identification by urbanadventurer and solution ideas from Ov3rfly and Malivuk )
|
70 |
+
|
71 |
+
|
72 |
+
= 1.2.4 =
|
73 |
+
|
74 |
+
* Added code to check whether not admin (to stop admin features failing) and changed trailing slash code to trap situation where not posts are found and user is displayed in title
|
75 |
+
|
76 |
+
|
77 |
= 1.2.3 =
|
78 |
+
|
79 |
+
|
80 |
+
* Fixed bug that stopped export in admin
|
81 |
+
|
82 |
+
= 1.2.2 =
|
83 |
+
|
84 |
+
* Added code to stop bypassing the check when a trailing slash is added
|
85 |
+
|
86 |
+
= 1.2.1 =
|
87 |
+
* minor change to handle a specific php issue with a certain version
|
88 |
+
|
89 |
|
90 |
|
91 |
= 1.1 =
|
92 |
+
|
93 |
* added close log
|
94 |
+
* corrected call to wp die
|
95 |
+
|
96 |
+
= 1.0 =
|
97 |
+
* first release
|
98 |
+
|
99 |
+
== Upgrade notice ==
|
|
|
|
|
|
|
|
|
|
stop-user-enumeration.php
CHANGED
@@ -1,59 +1,67 @@
|
|
1 |
-
<?php
|
2 |
-
/*
|
3 |
-
Plugin Name: Stop User Enumeration
|
4 |
-
Plugin URI: http://locally.uk/wordpress-plugins/stop-user-enumeration/
|
5 |
-
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
6 |
-
Version: 1.3.
|
7 |
-
Author: Locally Digital Ltd
|
8 |
-
Author URI: http://locally.uk
|
9 |
-
License: GPLv2 or later
|
10 |
-
*/
|
11 |
-
|
12 |
-
/*
|
13 |
-
This program is free software; you can redistribute it and/or
|
14 |
-
modify it under the terms of the GNU General Public License
|
15 |
-
as published by the Free Software Foundation; either version 2
|
16 |
-
of the License, or (at your option) any later version.
|
17 |
-
|
18 |
-
This program is distributed in the hope that it will be useful,
|
19 |
-
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
20 |
-
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
21 |
-
GNU General Public License for more details.
|
22 |
-
|
23 |
-
You should have received a copy of the GNU General Public License
|
24 |
-
along with this program; if not, write to the Free Software
|
25 |
-
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
26 |
-
*/
|
27 |
-
|
28 |
-
if ( ! is_admin()){
|
29 |
-
if ( ! is_admin()){
|
30 |
-
if(preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0 ) {
|
31 |
-
if (!empty($_POST['author'])) {
|
32 |
-
ll_kill_enumeration();
|
33 |
-
}
|
34 |
-
}
|
35 |
-
|
36 |
-
if(preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING']) === 1)
|
37 |
-
ll_kill_enumeration();
|
38 |
-
|
39 |
-
add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
|
40 |
-
}
|
41 |
-
}
|
42 |
-
|
43 |
-
add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
|
44 |
-
function ll_detect_enumeration ($redirect_url, $requested_url) {
|
45 |
-
if (preg_match('/\?author(%00[0%]*)?=([0-9]*)(\/*)/', $requested_url)===1 | ($_POST['author'])) {
|
46 |
-
ll_kill_enumeration();
|
47 |
-
} else {
|
48 |
-
return $redirect_url;
|
49 |
-
}
|
50 |
-
}
|
51 |
-
|
52 |
-
function ll_kill_enumeration() {
|
53 |
-
openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH);
|
54 |
-
syslog(LOG_INFO,"Attempted user enumeration from {$_SERVER['REMOTE_ADDR']}");
|
55 |
-
closelog();
|
56 |
-
wp_die('forbidden');
|
57 |
-
}
|
58 |
-
|
59 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1 |
+
<?php
|
2 |
+
/*
|
3 |
+
Plugin Name: Stop User Enumeration
|
4 |
+
Plugin URI: http://locally.uk/wordpress-plugins/stop-user-enumeration/
|
5 |
+
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
6 |
+
Version: 1.3.2
|
7 |
+
Author: Locally Digital Ltd
|
8 |
+
Author URI: http://locally.uk
|
9 |
+
License: GPLv2 or later
|
10 |
+
*/
|
11 |
+
|
12 |
+
/*
|
13 |
+
This program is free software; you can redistribute it and/or
|
14 |
+
modify it under the terms of the GNU General Public License
|
15 |
+
as published by the Free Software Foundation; either version 2
|
16 |
+
of the License, or (at your option) any later version.
|
17 |
+
|
18 |
+
This program is distributed in the hope that it will be useful,
|
19 |
+
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
20 |
+
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
21 |
+
GNU General Public License for more details.
|
22 |
+
|
23 |
+
You should have received a copy of the GNU General Public License
|
24 |
+
along with this program; if not, write to the Free Software
|
25 |
+
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
26 |
+
*/
|
27 |
+
|
28 |
+
if ( ! is_admin()){
|
29 |
+
if ( ! is_admin()){
|
30 |
+
if(preg_match('/(wp-comments-post)/', $_SERVER['REQUEST_URI']) === 0 ) {
|
31 |
+
if (!empty($_POST['author'])) {
|
32 |
+
ll_kill_enumeration();
|
33 |
+
}
|
34 |
+
}
|
35 |
+
|
36 |
+
if(preg_match('/author=([0-9]*)/', $_SERVER['QUERY_STRING']) === 1)
|
37 |
+
ll_kill_enumeration();
|
38 |
+
|
39 |
+
add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
|
40 |
+
}
|
41 |
+
}
|
42 |
+
|
43 |
+
add_filter('redirect_canonical','ll_detect_enumeration', 10,2);
|
44 |
+
function ll_detect_enumeration ($redirect_url, $requested_url) {
|
45 |
+
if (preg_match('/\?author(%00[0%]*)?=([0-9]*)(\/*)/', $requested_url)===1 | ($_POST['author'])) {
|
46 |
+
ll_kill_enumeration();
|
47 |
+
} else {
|
48 |
+
return $redirect_url;
|
49 |
+
}
|
50 |
+
}
|
51 |
+
|
52 |
+
function ll_kill_enumeration() {
|
53 |
+
openlog('wordpress('.$_SERVER['HTTP_HOST'].')',LOG_NDELAY|LOG_PID,LOG_AUTH);
|
54 |
+
syslog(LOG_INFO,"Attempted user enumeration from {$_SERVER['REMOTE_ADDR']}");
|
55 |
+
closelog();
|
56 |
+
wp_die('forbidden');
|
57 |
+
}
|
58 |
+
add_action('plugin_row_meta', 'sue_plugin_row_meta', 10, 2 );
|
59 |
+
|
60 |
+
function sue_plugin_row_meta( $links, $file = '' ){
|
61 |
+
if( false !== strpos($file , '/stop-user-enumeration.php') ){
|
62 |
+
$links[] = '<a target="_blank" href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=4EMTVFMKXRRYY"><strong>Donate</strong></a>';
|
63 |
+
}
|
64 |
+
return $links;
|
65 |
+
}
|
66 |
+
|
67 |
+
?>
|