Prevent Enumeration of Usernames In Nginx

 In Security

Prevent Enumeration of Usernames In Nginx – This is a really simple fix which will block the user enumeration on a wordpress site (like the method by wpscan).

Before I get into this, I am very well aware of the IfIsEvil page on nginx wiki.  But it also says on this page, “The only 100% safe things which may be done inside if in location context are:  return and rewrite as the last statement in a location block”  With that in mind, we are going to use ONLY rewrite as the last statement in our location block.

 

Prevent Enumeration of Usernames In Nginx

Add code below on your nginx vhost conf file :

if ($args ~ "^/?author=([0-9]*)"){
set $rule_0 1$rule_0;
}

if ($rule_0 = "1"){
rewrite ^/$ http://domain.com/404 permanent;
}

Remember to change the domain name on line 6 🙂

WordPress User Enumeration

In many WordPress installations it is possible to enumerate usernames through the author archives, including the admin username (usually ID:1). This is not a new trick and is available in a number of WordPress Security Testing tools.

Online free testing tools here.

NOTE: If you are on apache web server you should read this post, please click here for more info

Interested in list wordPress user information ? Please visit Nuno Sarmento @  https://www.wp-code.uk for the code snippet.

Recommended Posts

Leave a Comment

Start typing and press Enter to search

Let's work together!

  • Call me on 07930 194000, email [email protected] or fill in the form below to make an enquiry: