WPScan is a WordPress vulnerability scanner written in Ruby. Sucuri sponsored WPScan which hosted on github. With its security vulnerability database for WordPress core, plugins and themes hackers can get a report on your site’s known security problems which can be exploited. You can install WPScan yourself on Debian 8 (guide) or Ubuntu 16.04 (guide).
WPScan provides multiple ways to discover the usernames of accounts on WordPress and WooCommerce sites. If you ever wondered why your security plugin is reporting bots that have guessed your username, chances are the hacker bots use WPScan’s methods.
Using this tutorial you will use Varnish to protect against WPScan user enumeration.
Using WPScan User Enumeration
WPScan provides multiple ways to discover the usernames of accounts on WordPress and WooCommerce sites.
This section is divided into basic and advanced user enumeration scans with WPScan.
WPScan Basic User Enumeration Scan
This is how you can do a basic user enumeration with WPScan.
ruby wpscan.rb --url https://guides.wp-bullet.com --enumerate uYou will get some output like this
[+] Enumerating usernames ...
[+] Identified the following 1 user/s:
+----+-------------------+-------------------+
| Id | Login | Name |
+----+-------------------+-------------------+
| 1 | wpbullet | wpbullet |
+----+-------------------+-------------------+
Crap, that means users know my username and can brute force it.
WPScan Advanced User Enumeration Scan
Even if you block the basic user enumeration scan, there is an advanced one that uses a POST request method.
ruby stop_user_enumeration_bypass.rb https://guides.wp-bullet.comDamn, they still know my username
Usernames found:
+----+-------------------+-------------------+
| Id | Login | Name |
+----+-------------------+-------------------+
| 1 | wpbullet | wpbullet |
+----+-------------------+-------------------+Time to prevent these scans.
Stop WPScan WordPress User Enumeration with Varnish
Open up your Varnish vcl.
sudo nano /etc/varnish/default.vclThe syntax is slightly different for Varnish 3 and 4 so there are separate sections for each version below.
Prevent WPScan User Enumeration with Varnish 3
In the sub vcl_recv section add these snippets for Varnish 3 to prevent WPScan basic and advanced user enumeration
#stop wpscan user enumeration
if (req.url ~ "\?author\=([0-9]*)") {
error 403 "Not allowed";
}
#to stop wpscan advanced enumeration
if (req.url == "/" && req.request == "POST" && !req.http.cookie ~ "wordpress_logged_in") {
error 403 "Not allowed";
}
Ctrl+X, Y and Enter to Save and Exit.
Verify your Varnish 3 vcl syntax is correct.
varnishd -C -f /etc/varnish/default.vclReload Varnish 3 service.
sudo service varnish reloadPrevent WPScan User Enumeration with Varnish 4
In the sub vcl_recv section add these snippets for Varnish 4
#stop wpscan user enumeration
if (req.url ~ "\?author\=([0-9]*)") {
return(synth(403, "Not allowed."));
}
#to stop wpscan advanced enumeration
if (req.url == "/" && req.method == "POST" && !req.http.cookie ~ "wordpress_logged_in") {
return(synth(403, "Not allowed."));
}Ctrl+X, Y and Enter to Save and Exit.
Verify your Varnish 4 vcl syntax is correct.
varnishd -C -f /etc/varnish/default.vclReload Varnish 4 service.
sudo service varnish reloadTesting Blocked WPScan User Enumeration with Varnish
After reloading Varnish WPScan can be run again to see if our modifications worked.
Perform a basic WPScan user enumeration scan again
ruby wpscan.rb --url https://guides.wp-bullet.com --enumerate uOutput showing we blocked the enumeration with Varnish
[+] Enumerating usernames ...
[+] We did not enumerate any usernamesNow with the advanced user enumeration
ruby stop_user_enumeration_bypass.rb https://guides.wp-bullet.comOutput showing no usernames were enumerated by WPScan
Usernames found:
+----+-------+------+
| Id | Login | Name |
+----+-------+------+
+----+-------+------+
This guide showed you how to block WPScan WordPress user enumeration methods – both basic and advanced – with Varnish.
You should see far less hacker bots brute forcing your WordPress or WooCommerce admin username now.