Add Option to Prevent User Enumeration

  • Resolved Rasso Hilber

    (@nonverbla)


    3 years, 6 months ago

    Hi there!

    as you guys sure know, one thing many hackers do first is trying to enumerate the users that are registered on a site. A way to prevent for example in the REST API would be to remove the related endpoints:

    
/**
 * Prevents user enumeration in the REST API
 *
 * @param array $endpoints The original endpoints.
 * @return array The updated endpoints.
 */
function rest_endpoints_prevent_user_enumeration( $endpoints ) {
	if ( isset( $endpoints['/wp/v2/users'] ) ) {
		unset( $endpoints['/wp/v2/users'] );
	}
	if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
		unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
	}

	return $endpoints;
}
add_filter( 'rest_endpoints', 'rest_endpoints_prevent_user_enumeration' );

    While some sites may actually need these endpoints, None of my ~50 sites does. Would you consider adding an option to your options page ?page=site-security, where one could “Disable User Enumeration”?

    Looking forward to hearing your thoughts.

    • This topic was modified 3 years, 6 months ago by Rasso Hilber. Reason: code and title formatting
Viewing 1 replies (of 1 total)
  • Plugin Support Gergana Petrova

    (@gpetrova)

    3 years, 6 months ago

    Hello @nonverbla,

    Thank you for the suggestion. I have brought it to the attention of the plugin’s developers, who will look further into your inquiry.

    Should this option end up being included in one of the plugin’s future releases, it will be listed in the Changelog.

    Best Regards,
    Gergana Petrova

Viewing 1 replies (of 1 total)

The topic ‘Add Option to Prevent User Enumeration’ is closed to new replies.