Can I Prevent Enumeration of Usernames?

A simple solution I use in a .htaccess: RewriteCond %{REQUEST_URI} !^/wp-admin [NC] RewriteCond %{QUERY_STRING} author=\d RewriteRule ^ – [L,R=403] It is similar to @jptsetme’s answer, but it works even when the query string is /?dummy&author=5, and the search pattern for RewriteRule is very fast: You often see a capture ([0-9]*) in regular expressions for this. … Read more

WordPress 4.7.1 REST API still exposing users

This code snippet will hide the users, posts, and comments endpoint results and give 404 as the result, while the rest of the API calls keep running as they were. ::UPDATE:: add_filter(‘rest_endpoints’, function(){ $toRemove = [‘users’, ‘posts’, ‘comments’]; foreach($toRemove as $val) { if (isset($endpoints[‘/wp/v2/’.$val])) { unset($endpoints[‘/wp/v2/’.$val]); } if(isset($endpoints[‘/wp/v2/’.$val.’/(?P<id>[\d]+)’])) { unset($endpoints[‘/wp/v2/’.$val.’/(?P<id>[\d]+)’]); } } return $endpoints; }); … Read more

Getting a List of Currently Available Roles on a WordPress Site?

Roles are stored in the global variable $wp_roles. The ideal function is get_editable_roles() from /wp-admin/includes/user.php function get_editable_roles() { global $wp_roles; $all_roles = $wp_roles->roles; $editable_roles = apply_filters(‘editable_roles’, $all_roles); return $editable_roles; } The “editable” part is because it offers other plugins a chance to filter the list in case someone other than admin has ‘edit_users’ privilege (and … Read more

Can I rename the wp-admin folder?

Unfortunately it’s not currently possible nor does there appear to be will to consider it as a modification as you can see by this recent thread on the wp-hackers list and this ticket on trac. If you’d really like to see this be revisited I’d suggest: Present your case on wp-hackers but be forewarned your … Read more

Infected Files – what to do [closed]

If you have a good full backup of your website, restore your site from it (recommended). Install and set up WordFence plugin (as in case of no backup). If you don’t have good backup: Immediately delete all files from this list. Get a clean copy of your version of WordPress, and clean copy of your … Read more

How to Protect Uploads, if User is not Logged In?

Only checking if the cookie exists, is not much of a strict protection. To get a stronger protection, you can pass or “proxy” all requests to the uploaded folder (exemplary uploads in the following example) through a php script: RewriteCond %{REQUEST_FILENAME} -s RewriteRule ^wp-content/uploads/(.*)$ dl-file.php?file=$1 [QSA,L] All requests to uploaded files (which includes images in … Read more

Verifying that I have fully removed a WordPress hack?

Have you identified the exploit vector? If not, you may be leaving yourself open to future exploit. Other things to consider: Change WordPress admin user passwords – done Change Hosting account user password Change FTP passwords Change MySQL db user password – done Change the db table prefix Update your wp-config nonces/salt Check your directory/file … Read more

Hide the fact a site is using WordPress?

The biggest WordPress giveaways are between the <head> </head> tags. Example WordPress head content output by The Twentyten Theme and how to remove: <link rel=”profile” href=”http://gmpg.org/xfn/11″ /> Remove directly from header.php <link rel=”stylesheet” type=”text/css” media=”all” href=”http://example.com/wp-content/themes/twentyten/style.css” /> Hide WordPress by calling your stylesheet from another location and change the wp-content directory. WordPress requires your theme … Read more