Prevent Enumeration of Wordpress Usernames with WPScan


#1

On nginx installations I have that are not EE, I use the following to prevent username enumeration.

location / {
   try_files $uri $uri/ /index.php?$args;

   if ($args ~ "^/?author=([0-9]*)"){
      set $rule_0 1$rule_0; 
   }   
   if ($rule_0 = "1"){
   rewrite ^/$ http://domain.com/404 permanent;
   }
}

It appears impossible (well, unwise anyway) to do in EE because location / appears in various include files under nginx/common that are updated as EE is updated so the change would be overwritten. Any ideas where I might add?

Thank you!


#3

Hi @aTeXuN

Since there’s no way to have duplicate loction blocks in a single server block , may be the only workaround that you can use is to find out the location block which your virtual server is using and edit it to add your changes.

Thanks.


#4

Try location ~ / or location ^/.

For my needs, probably not the same as yours, both workarounds worked fine.


#5