Home › Forums › BulletProof Security Pro › WordPress Author Enumeration Bot Probe Protection – Author ID, User ID
Tagged: author, Author ID, author name, Bonus Custom Code, Bot, enumeration, User ID
- This topic has 36 replies, 10 voices, and was last updated 8 years, 2 months ago by AITpro Admin.
-
AuthorPosts
-
AITpro AdminKeymaster
This WordPress Author Enumeration Bot Probe Protection Bonus Code protects against hacker Bot Probes looking for WordPress author enumeration (a numbered list of author ID’s / User ID’s) to exploit. If you use the Query Strings below in your Browser’s address bar you will see the author / username associated with the author ID / User ID displayed in your Browser. After adding this WordPress Author Enumeration Bot Probe Protection code you will no longer see the author ID / User ID displayed in your Browser and instead will see a standard WordPress 404 Error and the Query String for the author ID that you queried will be displayed in your Browser’s address bar. What is especially nice about this code is that to the hacker bot it appears that this author ID does not exist without giving any clues that the author ID does actually exist on your website.
Replace this Forum website’s domain URL with your actual website’s domain URL for testing.
http://forum.ait-pro.com/?author=1 http://forum.ait-pro.com/?author=2 http://forum.ait-pro.com/?author=3
1. Copy this WordPress Author Enumeration Bot Probe Protection code below into this BPS Root Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here
2. Click the Save Root Custom Code button.
3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root folder BulletProof Mode Activate button.
3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root folder BulletProof Mode.# WP AUTHOR ENUMERATION BOT PROBE PROTECTION # Rewrites to author=999999 that does not actually exist # which results in a standard 404 error. To the hacker bot # it appears that this author does not exist without giving # any clues that the author does actually exist. RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC] RewriteRule ^(.*)$ $1?author=999999 [L]
Note: If you have a WordPress GWIOD (Giving WordPress Its Own Directory) website then you would add this code to both your site root htaccess file and BPS Root Custom Code. GWIOD site types have 3 htaccess files. 1 Site Root htaccess file, 1 WordPress installation folder htaccess file (BPS Root htaccess file) and a BPS wp-admin htaccess file.
Young MasterParticipantWhat if you have a website with more than 999999 users, then it means that that code will not work. Right? Or is there any other way for websites with more than 999999 users?
AITpro AdminKeymasterWhat would happen is that the redirect would actually work instead of causing a natural 404 error. If a hacker bot query was made using /?author=999999 and author ID 999999 actually really exists then the author name / User name for user 999999 would be displayed. If a website actually has 999999 user accounts and a hacker bot did ever actually query author ID 999999 then the site owner could change 999999 to 9999999, etc.
TimParticipantI implemented this on a site, worked perfectly. But it also dawned on me that a smart bot could just crawl our author archive links (which we have on posts), and pull the ID from the body class.
My solution was to simply remove the author IDs from the body class via my theme’s functions.php. Note: If you use author-# for styling purposes, you can’t do this, but the author-username slug is also there for styling if needed.
Hopefully this is ok to post here, as it’s not directly related to BPS Security, but I think it works nicely in conjunction with the .htaccess probe protection.
function remove_author_id_from_body($classes) { /* are we on an author archive page? */ if (is_author()) { /* loop through all classes */ for($i=0;$i<count($classes);$i++) { /* find author ID, remove from array */ if (preg_match('/author-[0-9]/', $classes[$i])) { unset($classes[$i]); break; } } } return $classes; } add_filter('body_class', 'remove_author_id_from_body');
AITpro AdminKeymasterYep we do something very similar on our sites. 😉 Thanks for posting this code / info for other folks who should be doing the same thing and should use your code or similar code to do this same thing. And we are looking at possible ways of blocking cURL or DOM scans in website source code. 😉
Also if folks want to additionally redirect Request URI’s to author links they can do something like this.
RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC] RewriteRule ^(.*)$ $1?author=999999 [L] # Subfolder site Author URL redirect to Home page RedirectMatch 301 (?i)^/(.*)/author/(.*)$ http://www.example.com/subfolder-site/ RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC] RewriteRule ^(.*)$ $1?author=999999 [L] # Root site Author URL redirect to Home page # On some web hosts the RedirectMatch rule above would need to be used even if the site is a root website RedirectMatch 301 (?i)^/author/(.*)$ http://www.example.com/
BrianParticipantGreat tip. There is also a plugin that does this – Display Name Author Permalink. Not sure if it also solves the problem Tim mentions?
BrianParticipantThe plugin above replaces the author permalink with the display name and generates a 404 if the name is called directly. Works nicely. Here’s the code. Would be nice if this could be done via the .htaccess code instead of the plugin (less chance for interruptions)?
<?php /* Plugin Name: Display Name Author Permalink Plugin URI: http: //sivel.net/wordpress/display-name-author-permalink/ Description: Replaces the username for author permalinks with the users display name. Returns a 404 if the author permalink using the actual username is used. Author: hallsofmontezuma, Matt Martz Author URI: http: //sivel.net Version: 1.1 Copyright (c) 2009 Matt Martz (http: //sivel.net) Display Name Author Permalink is released under the GNU General Public License (GPL) http: //www.gnu.org/licenses/gpl-2.0.txt */ class DisplayNameAuthorPermaLink { var $users = array(); // Build an array of usernames and display names and increment duplicates for uniqueness function __construct() { $i = 1; foreach ( get_users() as $user ) { $display_name = $display_name = sanitize_title($user->display_name); if ( in_array(sanitize_title($user->display_name), $this->users) ) { $i++; $display_name .= "-$i"; } $this->users[sanitize_title($user->user_login)] = $display_name; } add_action('pre_get_posts', array(&$this, 'switch_author')); add_filter('author_link', array(&$this, 'filter_author'), 10, 3); } // Switch the display name with the username so that we can populate the posts properly // If the username was used in the call do a 404 template redirection function switch_author() { if ( ! is_author() ) return; $author_name = get_query_var('author_name'); $key = array_search($author_name, $this->users); if ( $key ) { set_query_var('author_name', $key); $author = get_user_by('login', $key); set_query_var('author', $author->ID); } else { set_query_var('author_name', false); set_query_var('author', false); add_action('template_redirect', array(&$this, 'redirect_404')); } } // Replace the username in author links generated in the theme with the users display name function filter_author($link,$author_id,$author_nicename) { if ( array_key_exists($author_nicename, $this->users) ) $link = str_replace($author_nicename,$this->users[$author_nicename], $link); return $link; } // redirect template to use 404 template function redirect_404() { include(get_404_template()); die(); } } // Instantiate the DisplayNameAuthorPermaLink class $DisplayNameAuthorPermaLink = new DisplayNameAuthorPermaLink();
MaiParticipantHello
I cant find
CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here
Maybe bcoz I am using the free plugin? thank u : )AITpro AdminKeymasterSee the Custom Code video tutorial for where Custom Code is: http://forum.ait-pro.com/video-tutorials/#custom-code
JasonParticipantHey Edward, does the WP author enumeration bot .htaccess custom code been tested in Multisite?
I have added it to all my sites and it works fine until I used it on a Multisite and it still spits out the author username.Thanks.
AITpro AdminKeymasterNope I don’t think this code will work on a Network GWIOD site type. We have scheduled a task to look into standard GWIOD site types and Network GWIOD site types soon.
AITpro AdminKeymaster@ Jason – I had a minute to look at the GWIOD site type issue and the solution is very simple.
Note: If you have a WordPress GWIOD (Giving WordPress Its Own Directory) website then you would add this code to both your site root htaccess file and BPS Root Custom Code. GWIOD site types have 3 htaccess files. 1 Site Root htaccess file, 1 WordPress installation folder htaccess file (BPS Root htaccess file) and a BPS wp-admin htaccess file.
MaxParticipantthought I’d share what has worked best for me, works with multisite networks & ‘domain mapping’ =)
# BEGIN AUTHOR ENUMERATION PROTECTION RewriteCond %{REQUEST_URI} !^/wp-admin [NC] RewriteCond %{QUERY_STRING} (^|&)author=([0-9]){1,}$ [NC] RewriteRule ^ /? [R=301,L] # END AUTHOR ENUMERATION PROTECTION
SchneiderParticipantThank you Max, this is an incredible useful piece!
PakoParticipantHi
I give a try a try to BPS (and buy BPS pro if it suit to my needs) to move away from Wordfence, so I’m pretty new to BPS..
I tried the following code a single WP site (no multisite) and it works:
# BEGIN AUTHOR ENUMERATION PROTECTION RewriteCond %{REQUEST_URI} !^/wp-admin [NC] RewriteCond %{QUERY_STRING} (^|&)author=([0-9]){1,}$ [NC] RewriteRule ^ /? [R=301,L] # END AUTHOR ENUMERATION PROTECTION
I tried the same in a WP multisite (and also tried the first code you gave) and it do nothing, I mean it do not redirect as it should to the homepage, instead it continues to display the author page.
This code is however well present in the .htaccess file…
Thanks
PS: english is not my mother tong…
-
AuthorPosts
- You must be logged in to reply to this topic.