Recently, when a friend asked about his website, he was prompted with a WordPress user name enumeration vulnerability CVE 2017 5487. Lao Wei checked that the vulnerability affected WordPress 4.71 and below. Because it was an important portal, Lao Wei suggested using a paid version of the firewall to solve this problem.
As shown in the figure below, the results of the official cyber security practice exercise are shown. My friend said that this website is an important portal,The WordPress version is always the latest version, which should not have this vulnerability.
Vulnerability impact: Obtain the user nameID and other information. Trigger premise: Wordpress configures REST API Affected version:<4.7.1
After the current website is attacked, nearly 100 subscribers have been added, which can be seen in the database.
My friend also said that the website has almost no plug-ins, and the theme is also genuine, which avoids the vulnerability problem caused by piracy.
It may be that a vulnerability in the server has been exploited. We'd better defend this problem from the server side.After all, we are not professional server operation and maintenance engineers, and we cannot find problems from the code level and block them. In this case, we can directly use the existing firewall.
solve the problem
The server uses the free version of the pagoda panel. After Lao Wei's suggestion, register the pagoda panel enterprise service and install itPagoda firewall,Pagoda enterprise level tamper proof,Fort tower to prevent invasionSuch paid plug-ins, after certain settings, conform to the actual situation of their own websites, so that they can avoid being invaded.
WordPress can see the administrator's user name and website form of the website through the default URL. To avoid being analyzed, we have a URL blacklist in the pay firewall on the pagoda panel, and add the following two lines respectively:
^/wp-json/wp/v2/users/
^/wp-includes/wlwmanifest.xml
At the same time, modify the default background login address on the WordPress website, and Lao Wei suggests usingWPS Hide Login Plug inIf you hate to add a plug-in for such a function, you can also tryPagoda panel encryption WordPress background login pageThe function of is to add a lock to the WordPress default background.Of course, smart children's shoes can think of combining the WPS Hide Login plug-in with the WordPress background encryption function on the pagoda panel, which will be more secure.
There is also the user name and password in the WordPress background, which Lao Wei has reminded many times before. Numbers+letters+symbols, irregular, abnormal thinking, have more than 30 digits. Even if they are scanned and guessed by the machine, using the pagoda paid firewall will be kicked off if they exceed a certain number of connections within the time set by the rules. In addition, we regularly check the firewall log,If you find a suspicious IP address, you can blackout it, so that you can rest easy.
Additional Tips
This kind of problem occurs in ECSHostingeras well asSitegroundUsers of such virtual hosts do not have such concerns because powerful officials have blocked the vulnerability in advance.
As users, we can rest assured that WordPress programs, plug-ins, themes and manually uploaded files will not have problems.
Article name: Resolution of WordPress User Name Enumeration Vulnerabilities Article link:https://www.vpsss.net/29012.html Copyright notice: The resources of this website are only for personal learning and exchange, and are not allowed to be reproduced and used for commercial purposes, otherwise, legal issues will be borne by yourself. The copyright of the pictures belongs to their respective creators, and the picture watermark is for the purpose of preventing unscrupulous people from stealing the fruits of labor.
