Version Description
Upgrade to version 1.3.30 to disable author site maps - you will need to enable in settings (closes issue #6)
=
Download this release
Release Info
Developer | fullworks |
Plugin | Stop User Enumeration |
Version | 1.3.30 |
Comparing to | |
See all releases |
Code changes from version 1.3.29 to 1.3.30
- admin/class-admin-settings.php +19 -0
- bootstrap.php +1 -1
- frontend/class-frontend.php +8 -0
- includes/class-core.php +3 -0
- languages/stop-user-enumeration.pot +20 -12
- readme.txt +14 -4
- stop-user-enumeration.php +1 -1
admin/class-admin-settings.php
CHANGED
@@ -95,6 +95,7 @@ class Admin_Settings extends Admin_Pages {
|
|
95 |
return array(
|
96 |
// set defaults
|
97 |
'stop_rest_user' => 'on',
|
|
|
98 |
'log_auth' => 'on',
|
99 |
'comment_jquery' => 'on',
|
100 |
);
|
@@ -172,6 +173,9 @@ class Admin_Settings extends Admin_Pages {
|
|
172 |
if ( ! isset( $settings['stop_rest_user'] ) ) {
|
173 |
$settings['stop_rest_user'] = 'off'; // always set checkboxes if they dont exist
|
174 |
}
|
|
|
|
|
|
|
175 |
if ( ! isset( $settings['log_auth'] ) ) {
|
176 |
$settings['log_auth'] = 'off'; // always set checkboxes if they dont exist
|
177 |
}
|
@@ -190,6 +194,9 @@ class Admin_Settings extends Admin_Pages {
|
|
190 |
if ( ! isset( $options['stop_rest_user'] ) ) {
|
191 |
$options['stop_rest_user'] = 'off';
|
192 |
}
|
|
|
|
|
|
|
193 |
if ( ! isset( $options['log_auth'] ) ) {
|
194 |
$options['log_auth'] = 'off';
|
195 |
}
|
@@ -211,6 +218,18 @@ class Admin_Settings extends Admin_Pages {
|
|
211 |
</label>
|
212 |
</td>
|
213 |
</tr>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
214 |
<tr valign="top" class="alternate">
|
215 |
<th scope="row"><?php esc_html_e( 'log attempts to AUTH LOG', 'stop-user-enumeration' ); ?></th>
|
216 |
<td>
|
95 |
return array(
|
96 |
// set defaults
|
97 |
'stop_rest_user' => 'on',
|
98 |
+
'stop_sitemap' => 'on',
|
99 |
'log_auth' => 'on',
|
100 |
'comment_jquery' => 'on',
|
101 |
);
|
173 |
if ( ! isset( $settings['stop_rest_user'] ) ) {
|
174 |
$settings['stop_rest_user'] = 'off'; // always set checkboxes if they dont exist
|
175 |
}
|
176 |
+
if ( ! isset( $settings['stop_sitemap'] ) ) {
|
177 |
+
$settings['stop_sitemap'] = 'off'; // always set checkboxes if they dont exist
|
178 |
+
}
|
179 |
if ( ! isset( $settings['log_auth'] ) ) {
|
180 |
$settings['log_auth'] = 'off'; // always set checkboxes if they dont exist
|
181 |
}
|
194 |
if ( ! isset( $options['stop_rest_user'] ) ) {
|
195 |
$options['stop_rest_user'] = 'off';
|
196 |
}
|
197 |
+
if ( ! isset( $options['stop_sitemap'] ) ) {
|
198 |
+
$options['stop_sitemap'] = 'off';
|
199 |
+
}
|
200 |
if ( ! isset( $options['log_auth'] ) ) {
|
201 |
$options['log_auth'] = 'off';
|
202 |
}
|
218 |
</label>
|
219 |
</td>
|
220 |
</tr>
|
221 |
+
<tr valign="top">
|
222 |
+
<th scope="row"><?php esc_html_e( 'Disable WP Core Author sitemaps', 'stop-user-enumeration' ); ?></th>
|
223 |
+
<td>
|
224 |
+
<label for="stop-user-enumeration[stop_sitemap]"><input type="checkbox"
|
225 |
+
name="stop-user-enumeration[stop_sitemap]]"
|
226 |
+
id="stop-user-enumeration[stop_sitemap]"
|
227 |
+
value="on"
|
228 |
+
<?php checked( 'on', $options['stop_sitemap'] ); ?>>
|
229 |
+
<?php _e( 'WordPress provides sitemaps for built-in content types like pages and author archives out of the box. The Author sitemap exposes the user id.', 'stop-user-enumeration' ); ?>
|
230 |
+
</label>
|
231 |
+
</td>
|
232 |
+
</tr>
|
233 |
<tr valign="top" class="alternate">
|
234 |
<th scope="row"><?php esc_html_e( 'log attempts to AUTH LOG', 'stop-user-enumeration' ); ?></th>
|
235 |
<td>
|
bootstrap.php
CHANGED
@@ -9,7 +9,7 @@ if ( ! defined( 'WPINC' ) ) {
|
|
9 |
die;
|
10 |
}
|
11 |
define( 'STOP_USER_ENUMERATION_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
|
12 |
-
define( 'STOP_USER_ENUMERATION_PLUGIN_VERSION', '1.3.
|
13 |
|
14 |
|
15 |
// Include the autoloader so we can dynamically include the classes.
|
9 |
die;
|
10 |
}
|
11 |
define( 'STOP_USER_ENUMERATION_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
|
12 |
+
define( 'STOP_USER_ENUMERATION_PLUGIN_VERSION', '1.3.30' );
|
13 |
|
14 |
|
15 |
// Include the autoloader so we can dynamically include the classes.
|
frontend/class-frontend.php
CHANGED
@@ -114,4 +114,12 @@ class FrontEnd {
|
|
114 |
return filter_var( $ipaddress, FILTER_VALIDATE_IP );
|
115 |
}
|
116 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
117 |
}
|
114 |
return filter_var( $ipaddress, FILTER_VALIDATE_IP );
|
115 |
}
|
116 |
|
117 |
+
public function remove_author_sitemap( $provider, $name ) {
|
118 |
+
if ( 'users' === $name ) {
|
119 |
+
return false;
|
120 |
+
}
|
121 |
+
|
122 |
+
return $provider;
|
123 |
+
}
|
124 |
+
|
125 |
}
|
includes/class-core.php
CHANGED
@@ -177,6 +177,9 @@ class Core {
|
|
177 |
|
178 |
$this->loader->add_action( 'plugins_loaded', $plugin_public, 'check_request' );
|
179 |
$this->loader->add_action( 'rest_authentication_errors', $plugin_public, 'only_allow_logged_in_rest_access_to_users' );
|
|
|
|
|
|
|
180 |
|
181 |
|
182 |
}
|
177 |
|
178 |
$this->loader->add_action( 'plugins_loaded', $plugin_public, 'check_request' );
|
179 |
$this->loader->add_action( 'rest_authentication_errors', $plugin_public, 'only_allow_logged_in_rest_access_to_users' );
|
180 |
+
if ( 'on' === $this->sue_get_option( 'stop_sitemap', 'off' ) ) {
|
181 |
+
$this->loader->add_filter( 'wp_sitemaps_add_provider', $plugin_public, 'remove_author_sitemap', 10, 2 );
|
182 |
+
}
|
183 |
|
184 |
|
185 |
}
|
languages/stop-user-enumeration.pot
CHANGED
@@ -29,19 +29,19 @@ msgstr ""
|
|
29 |
msgid "Stop User Enumeration"
|
30 |
msgstr ""
|
31 |
|
32 |
-
#: src/admin/class-admin-settings.php:
|
33 |
msgid "Information"
|
34 |
msgstr ""
|
35 |
|
36 |
-
#: src/admin/class-admin-settings.php:
|
37 |
msgid "Options"
|
38 |
msgstr ""
|
39 |
|
40 |
-
#: src/admin/class-admin-settings.php:
|
41 |
msgid "About this Plugin"
|
42 |
msgstr ""
|
43 |
|
44 |
-
#: src/admin/class-admin-settings.php:
|
45 |
msgid ""
|
46 |
"<p>Stop User Enumeration detects attempts by malicious scanners to identify your users</p>\n"
|
47 |
" <p>If a bot or user is caught scanning for user names they are denied access and their IP is\n"
|
@@ -53,37 +53,45 @@ msgid ""
|
|
53 |
" href=\"https://www.fail2ban.org\" target=\"_blank\">fail2ban</a></p>"
|
54 |
msgstr ""
|
55 |
|
56 |
-
#: src/admin/class-admin-settings.php:
|
57 |
msgid "Support"
|
58 |
msgstr ""
|
59 |
|
60 |
-
#: src/admin/class-admin-settings.php:
|
61 |
msgid ""
|
62 |
"<a class=\"button-secondary\"\n"
|
63 |
" href=\"https://wordpress.org/support/plugin/stop-user-enumeration/\" target=\"_blank\">WordPress.org support forum</a>"
|
64 |
msgstr ""
|
65 |
|
66 |
-
#: src/admin/class-admin-settings.php:
|
67 |
msgid "Stop REST API User calls"
|
68 |
msgstr ""
|
69 |
|
70 |
-
#: src/admin/class-admin-settings.php:
|
71 |
msgid "WordPress allows anyone to find users by API call, by checking this box the calls will be restricted to logged in users only. Only untick this box if you need to allow unfettered API access to users"
|
72 |
msgstr ""
|
73 |
|
74 |
-
#: src/admin/class-admin-settings.php:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
75 |
msgid "log attempts to AUTH LOG"
|
76 |
msgstr ""
|
77 |
|
78 |
-
#: src/admin/class-admin-settings.php:
|
79 |
msgid "Leave this ticked if you are using %1$sFail2Ban%2$s on your VPS to block attempts at enumeration.%3$s If you are not running Fail2Ban or on a shared host this does not need to be ticked, however it normally will not cause a problem being ticked."
|
80 |
msgstr ""
|
81 |
|
82 |
-
#: src/admin/class-admin-settings.php:
|
83 |
msgid "Remove numbers from comment authors"
|
84 |
msgstr ""
|
85 |
|
86 |
-
#: src/admin/class-admin-settings.php:
|
87 |
msgid "This plugin uses JavaScript to remove any numbers from a comment author name, this is because numbers trigger enumeration checking. You can untick this if you do not use comments on your site or you use a different comment method than standard"
|
88 |
msgstr ""
|
89 |
|
29 |
msgid "Stop User Enumeration"
|
30 |
msgstr ""
|
31 |
|
32 |
+
#: src/admin/class-admin-settings.php:110
|
33 |
msgid "Information"
|
34 |
msgstr ""
|
35 |
|
36 |
+
#: src/admin/class-admin-settings.php:118
|
37 |
msgid "Options"
|
38 |
msgstr ""
|
39 |
|
40 |
+
#: src/admin/class-admin-settings.php:148
|
41 |
msgid "About this Plugin"
|
42 |
msgstr ""
|
43 |
|
44 |
+
#: src/admin/class-admin-settings.php:150
|
45 |
msgid ""
|
46 |
"<p>Stop User Enumeration detects attempts by malicious scanners to identify your users</p>\n"
|
47 |
" <p>If a bot or user is caught scanning for user names they are denied access and their IP is\n"
|
53 |
" href=\"https://www.fail2ban.org\" target=\"_blank\">fail2ban</a></p>"
|
54 |
msgstr ""
|
55 |
|
56 |
+
#: src/admin/class-admin-settings.php:161
|
57 |
msgid "Support"
|
58 |
msgstr ""
|
59 |
|
60 |
+
#: src/admin/class-admin-settings.php:163
|
61 |
msgid ""
|
62 |
"<a class=\"button-secondary\"\n"
|
63 |
" href=\"https://wordpress.org/support/plugin/stop-user-enumeration/\" target=\"_blank\">WordPress.org support forum</a>"
|
64 |
msgstr ""
|
65 |
|
66 |
+
#: src/admin/class-admin-settings.php:210
|
67 |
msgid "Stop REST API User calls"
|
68 |
msgstr ""
|
69 |
|
70 |
+
#: src/admin/class-admin-settings.php:217
|
71 |
msgid "WordPress allows anyone to find users by API call, by checking this box the calls will be restricted to logged in users only. Only untick this box if you need to allow unfettered API access to users"
|
72 |
msgstr ""
|
73 |
|
74 |
+
#: src/admin/class-admin-settings.php:222
|
75 |
+
msgid "Disable WP Core Author sitemaps"
|
76 |
+
msgstr ""
|
77 |
+
|
78 |
+
#: src/admin/class-admin-settings.php:229
|
79 |
+
msgid "WordPress provides sitemaps for built-in content types like pages and author archives out of the box. The Author sitemap exposes the user id."
|
80 |
+
msgstr ""
|
81 |
+
|
82 |
+
#: src/admin/class-admin-settings.php:234
|
83 |
msgid "log attempts to AUTH LOG"
|
84 |
msgstr ""
|
85 |
|
86 |
+
#: src/admin/class-admin-settings.php:241
|
87 |
msgid "Leave this ticked if you are using %1$sFail2Ban%2$s on your VPS to block attempts at enumeration.%3$s If you are not running Fail2Ban or on a shared host this does not need to be ticked, however it normally will not cause a problem being ticked."
|
88 |
msgstr ""
|
89 |
|
90 |
+
#: src/admin/class-admin-settings.php:248
|
91 |
msgid "Remove numbers from comment authors"
|
92 |
msgstr ""
|
93 |
|
94 |
+
#: src/admin/class-admin-settings.php:255
|
95 |
msgid "This plugin uses JavaScript to remove any numbers from a comment author name, this is because numbers trigger enumeration checking. You can untick this if you do not use comments on your site or you use a different comment method than standard"
|
96 |
msgstr ""
|
97 |
|
readme.txt
CHANGED
@@ -1,10 +1,10 @@
|
|
1 |
=== Stop User Enumeration ===
|
2 |
Contributors: fullworks,alanfuller
|
3 |
Tags: User Enumeration, Security, WPSCAN, fail2ban,
|
4 |
-
Requires at least:
|
5 |
Requires PHP: 5.6
|
6 |
-
Tested up to: 5.
|
7 |
-
Stable tag: 1.3.
|
8 |
License: GPLv2 or later
|
9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
10 |
|
@@ -23,6 +23,8 @@ If you don't have access to install fail2ban ( e.g. on a Shared Host ) you can s
|
|
23 |
Since WordPress 4.5 user data can also be obtained by API calls without logging in, this is a WordPress feature, but if you don't need it to get user data, this
|
24 |
plugin will restrict and log that too.
|
25 |
|
|
|
|
|
26 |
|
27 |
== Installation ==
|
28 |
|
@@ -39,6 +41,8 @@ Either using the dashboard 'Add Plugin' feature to find, install and activate th
|
|
39 |
|
40 |
= It doesn't seem to work! ==
|
41 |
Are you logged in? This plugin won't do anything for logged in users, it only works when you are logged out. This is the way it is designed. A common mistake is to install the plugin and test it, while still logged in as admin.
|
|
|
|
|
42 |
= Are there any settings? =
|
43 |
Yes, but the default ones are fine for most cases
|
44 |
= This doesn't work with PHP 5.2! =
|
@@ -46,7 +50,7 @@ This plugin does not support PHP 5.2. PHP 5.2 is very old and you really need to
|
|
46 |
= Will it work on Multisite? =
|
47 |
Yes
|
48 |
= Why don't I just block with .htaccess =
|
49 |
-
A .htaccess solution is insufficient for
|
50 |
= Does it break anything? =
|
51 |
If a comment is left by someone just giving a number that comment would be forbidden, as it is assume a hack attempt, but the plugin has a bit of code that strips out numbers from comment author names
|
52 |
= Do I need fail2ban for this to work? =
|
@@ -56,8 +60,14 @@ An fail2ban config file, wordpress-userenum.conf is found in the plugin director
|
|
56 |
= What needs to go in the fail2ban jail.local?=
|
57 |
An example jail.local is found in plugin directory stop-user-enumeration/fail2ban
|
58 |
|
|
|
|
|
|
|
59 |
|
60 |
== Changelog ==
|
|
|
|
|
|
|
61 |
= 1.3.29 =
|
62 |
* Minor javascript fix
|
63 |
* better IP detection for proxies
|
1 |
=== Stop User Enumeration ===
|
2 |
Contributors: fullworks,alanfuller
|
3 |
Tags: User Enumeration, Security, WPSCAN, fail2ban,
|
4 |
+
Requires at least: 4.6
|
5 |
Requires PHP: 5.6
|
6 |
+
Tested up to: 5.7
|
7 |
+
Stable tag: 1.3.30
|
8 |
License: GPLv2 or later
|
9 |
License URI: http://www.gnu.org/licenses/gpl-2.0.html
|
10 |
|
23 |
Since WordPress 4.5 user data can also be obtained by API calls without logging in, this is a WordPress feature, but if you don't need it to get user data, this
|
24 |
plugin will restrict and log that too.
|
25 |
|
26 |
+
Since WordPress 5.5 sitemaps are generated by core WP ( wp-sitemap.xml ) which includes a user/author sitemap that exposes the user id. You can enable / disable this in the plugin settings.
|
27 |
+
|
28 |
|
29 |
== Installation ==
|
30 |
|
41 |
|
42 |
= It doesn't seem to work! ==
|
43 |
Are you logged in? This plugin won't do anything for logged in users, it only works when you are logged out. This is the way it is designed. A common mistake is to install the plugin and test it, while still logged in as admin.
|
44 |
+
= My user name still seems to be leaked! ==
|
45 |
+
Themes and xml feeds will include your user 'Display Name'. If you do not specify any name details or nick name, the 'Display Name' will default to your user name. Make sure your Display Name is always set NOT to your user name or it will be leaked in multiple places.
|
46 |
= Are there any settings? =
|
47 |
Yes, but the default ones are fine for most cases
|
48 |
= This doesn't work with PHP 5.2! =
|
50 |
= Will it work on Multisite? =
|
51 |
Yes
|
52 |
= Why don't I just block with .htaccess =
|
53 |
+
A .htaccess solution is insufficient for several reasons, but most published posts on the subject do not cover POST blocking, REST API blocking and inadvertently block admin users access. And don't log the IP to a firewall, the major benefit!
|
54 |
= Does it break anything? =
|
55 |
If a comment is left by someone just giving a number that comment would be forbidden, as it is assume a hack attempt, but the plugin has a bit of code that strips out numbers from comment author names
|
56 |
= Do I need fail2ban for this to work? =
|
60 |
= What needs to go in the fail2ban jail.local?=
|
61 |
An example jail.local is found in plugin directory stop-user-enumeration/fail2ban
|
62 |
|
63 |
+
== Upgrade Notice ==
|
64 |
+
= 1.3.30 =
|
65 |
+
Upgrade to version 1.3.30 to disable author site maps - you will need to enable in settings (closes issue #6)
|
66 |
|
67 |
== Changelog ==
|
68 |
+
= 1.3.30 =
|
69 |
+
* option to remove author site maps
|
70 |
+
|
71 |
= 1.3.29 =
|
72 |
* Minor javascript fix
|
73 |
* better IP detection for proxies
|
stop-user-enumeration.php
CHANGED
@@ -3,7 +3,7 @@
|
|
3 |
Plugin Name: Stop User Enumeration
|
4 |
Plugin URI: https://fullworks.net/products/stop-user-enumeration/
|
5 |
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
6 |
-
Version: 1.3.
|
7 |
Author: Fullworks
|
8 |
Text Domain: stop-user-enumeration
|
9 |
Domain Path: /languages
|
3 |
Plugin Name: Stop User Enumeration
|
4 |
Plugin URI: https://fullworks.net/products/stop-user-enumeration/
|
5 |
Description: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
|
6 |
+
Version: 1.3.30
|
7 |
Author: Fullworks
|
8 |
Text Domain: stop-user-enumeration
|
9 |
Domain Path: /languages
|