Right now 32% of the internet runs on WordPress. I don’t have to tell you that launching a website with WordPress done with the click of a button because you can. But with great power comes great responsibility so you also have to guard yourself for the thousands of hackers that want to access your data or trying to execute a man in the middle attack to get your precious revenue.

Hence the A Hackers-Guide. In this blogpost I will teach you which attacks are most common on WordPress and how to defend yourself against the daily only threats.

Why do hackers want to hack your WordPress website?

The motive changes with every website but the most common reason is that they want to access your database and get the credentials of the users. Although you might think that the information on your users aren’t that interesting they can be sold on (online) black markets.

How it works in action

To exploit this vulnerability, the attacker needs to attack in two phases:

First phase: The attacker uses a flaw in the system. For example, whenever you wish to log in to a website with incorrect credentials, the system might give you the following error message: ‘invalid username’. In this case, the bad guy needs to try until the response of the system is ‘invalid password’. In this case, the conclusion is that the username is valid and only the password is missing.

In many WordPress installations, it is possible to reach the usernames through the author archives. To access them, we just need to add ‘author=n’ as a parameter to the WordPress home page. Let’s see some examples:


www.example.com/?author=1
www.example.com/?author=2
www.example.com/?author=3
www.example.com/?author=4
After this process comes the second phase of the attack:

Second phase: When the bad guy has collected as many login names as possible there are no more steps to take. He only needs to hack into these accounts with a brute force attack. This could be a critical point, especially when an account has a weak password which can be hacked easily.

Vulnerable surfaces

An attacker can take advantage of this form of attack on several interfaces. Naturally, the most common one is the login surface. This can be attacked by the bad guys in an above-mentioned way.

The second major interface is the ‘forgotten password’ site. In this case, the attacker checks for the following system response: ‘username does not exist’. The hacker can attack again and again until he/she gets a response similar to ‘An email has been sent to the address on record.’ When this response is generated, that means that the username does exist and it can be attacked with a brute force attack.

The third interface is the registration site. Here the attacker needs to search for the following response: ‘the username is already in use’. This means that the username is registered, and as previously mentioned, it ‘only’ needs a brute force attack.

There’s a more advanced case in which the server’s response time is noted. In some cases, the server responds within seconds when the username is valid, but on average it takes longer to respond when the request involves a non-existent username. This method can be also valuable for the attackers.

How does Servermeister protect your server against this vulnerability?

Servermeister can defend your Apache webservers and the domains on it against WordPress user enumeration attacks perfectly. For this, of its nine modules, the SenseLog module’s ApacheWpEnumeration rule is responsible. The module analyzes the logs and if it finds the specific pattern for this attack request, it warns our system about the activity and moves the affected IP to the greylist.

I hope you found this article useful and interesting. Leave a comment below and share your thoughts about this topic, or if you have any questions, send us a message to [email protected]

This article was first published by BitNinja. Servermeister is a premium Bitninja Partner and active Hosting Security Company based in the EU.