Skip to content
Picture by Mohamed Hassan from Pixabay
Picture by Mohamed Hassan from Pixabay

Blog post -

Is Your Website Leaking Your Usernames?

Article by David Johnstone

WordPress is used for more than 33 percent of all websites. I believe it is the best choice of platform for you and your company. But...you need to know that it isn’t as secure as you’d think it would be. Surprised?

While other website builders don’t have this exact problem, there are extra steps required to properly secure and lock down a WordPress website.

How do you know if your WordPress website is properly protected and secure? There are several things I check for on my clients’ websites. Here are three checks you can do by yourself.

Self-Check #1

On WordPress, it will display usernames if you ask the right way. The username is half of the keys to your website. No one ever needs to know your username, so this should always be disabled to protect back-end access to your website.

To check your WordPress website and see if it is leaking usernames, simply add ?author=1 after your domain name. Make it look like this: YourDomain.com?author=1

You can look for more usernames with:

YourDomain.com?author=2

YourDomain.com?author=3

YourDomain.com?author=4

...because some websites have multiple users or administrators.

If this works, you will see your username returned in the URL box in your browser. It confirms that your usernames are leaking. And the whole world can see them.

Self-Check #2

The next common issue is that your web server may let people see your files. This should never be allowed. To fix, just use wp-content/uploads after your domain, like this:

www.YourDomain.com/wp/content/ uploads.

If you see a list of folders and files, your web server is leaking files. Again, no one should be allowed to do this, and they cannot do it when your server is properly protected.

Self-Check #3

You never want to disclose the version of WordPress you are using. You do want to be running the latest version, and it’s OK that only you know it. When you let other people know, especially those who may have malicious intentions, you expose security holes that they will take advantage of and be able to mess up or delete your website.

There is an easy way to check if you are showing your version. Look inside your RSS feed. All WordPress websites create an RSS feed, unless it was purposely turned off. You do want an RSS feed, but you don’t want it to leak the version of your WordPress version. You can look at your feed by adding /feed after your domain name: YourDomain.com/feed

Once your feed is open, search for the word “generator.” It will look like this: <generator>https://wordpress.org/?v=5.4.2... this is in your feed, you will see the ?v= which specifies (and leaks) your WordPress version.

Now you have three easy checks to make sure your WordPress website is protected and secure (or not). But these are just to get you started with paying attention to the security of your website. If you fail any of these easy tests, please consult an expert to look deeper into what else might be exposed.

Are you interested in what else there is to be looked at? Would you like to know the steps to fix the items above? Email me! I would be happy to hear from you, and to share more of my expertise.

The owner of Flash Forward Sites, David Johnstone’s skills were honed over two decades working within the American Express organization. During that time he was also the co-inventor of two software-related patents. Find his website at www.flashforwardsites.com.

To contact David Johnstone:

480-444-2520 : David@FlashForwardSites.com

Related links

Topics

Contacts

Clarissa Burt

Clarissa Burt

Press contact