Prevent Enumeration of Usernames In Nginx

 In Security

Prevent Enumeration of Usernames In Nginx – This is a really simple fix which will block the user enumeration on a wordpress site (like the method by wpscan).

Before I get into this, I am very well aware of the IfIsEvil page on nginx wiki.  But it also says on this page, “The only 100% safe things which may be done inside if in location context are:  return and rewrite as the last statement in a location block”  With that in mind, we are going to use ONLY rewrite as the last statement in our location block.

 

Prevent Enumeration of Usernames In Nginx

Add code below on your nginx vhost conf file :

Remember to change the domain name on line 6 🙂

WordPress User Enumeration

In many WordPress installations it is possible to enumerate usernames through the author archives, including the admin username (usually ID:1). This is not a new trick and is available in a number of WordPress Security Testing tools.

Online free testing tools here.

Interested in list wordPress user information ? Please visit Nuno Sarmento @  https://www.wp-code.uk for the code snippet.

Nuno Sarmento
Freelance WordPress Developer
Recommended Posts

Leave a Comment

Start typing and press Enter to search