SECURITY RESEARCH, TOOLS |

WordPress User Enumeration

WordPress User Enumeration

These three enumeration techniques are a very fast way to identify users of a WordPress installation. With valid usernames effective brute force attacks can be attempted to guess the password of the user accounts.

WordPress User Enumeration via Author Archives

Finding users by iterating through the author archives is a common technique that works in all versions of WordPress by default.

Users have a unique user id that is used by the application in the database and for referencing the user account. By attempting to load the author archive for each user id, we quickly identify valid account id's and the username that matches the account. This includes the admin username (usually ID:1). This is not a new trick and is available in a number of WordPress Security Testing tools.

How does it work?

We can make a simple HTTP request to https://wordpressexample.com/?author=1. You can try this in a browser. In the web developer tools take a look at the Network tab and view the HTTP response received from the request. If it worked you will see something like this:

Connection: keep-alive
Content-Type: text/html; charset=UTF-8
Date: Thu, 17 Oct 2019 23:12:26 GMT
Location: https://wordpressexample.com/author/fred/
Server: nginx/1.10.3 (Ubuntu)

We can see in the response that the Location: header reveals the username for userid 1 as "fred". This indicates the admin account was renamed to "fred".

Bash One Liner - Get all the Usernames

Here is a quick bash one liner that will cycle through as many users as you want and enumerate the usernames. So if you don't have a WordPress Scanner such as WPScan or Nmap NSE scripts you can try this bash trick.

for i in {1..5}; do curl -s -L -i http://www.wordpress-site-to-test.com/?author=$i | grep -E -o "\" title=\"View all posts by [a-z0-9A-Z\-\.]*|Location:.*" | sed 's/\// /g' | cut -f 6 -d ' ' | grep -v "^$"; done

Change the 5 to however many users you want to enumerate. The command will iterate through the authors (users) and use grep to pull from the Location Header or the HTML of the actual page, depending on the sites configuration and response.

WordPress Enumeration via JSON API

Using a json endpoint it may be possible to get a list of users on the site. This was restricted in version 4.7.1 to only show a user that has published a post and if configured, before that all users were shown by default.

https://wordpressexample.com/wp-json/wp/v2/users
User Enumeration via the JSON user Endpoint

WordPress Enumeration via the Login Form

Brute forcing the user name is possible using the login form as the response is different for a valid vs an invalid account.

confirm valid users with the login form

Using a tool such as Burp Intruder in Burp Suite, we would load a list of possible usernames and cycle through HTTP POST requests to the WordPress login form examining the response.

A HTTP response that matches "invalid password" indicates the username is valid. We could then move onto attacking the password using the same process with a common password list.

Conclusion

This WordPress user enumeration technique will often work on sites that have taken the trouble to rename the admin account to something else to reduce the chance of a successful brute force attack. It is WordPress security 101, but these enumeration techniques show that no matter what your username is strong passwords are essential.