Tagged: 

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • July 18, 2017 at 6:15 am #823096
    hugaud

    Hi,
    I recently got notified of a brute force attack on one of my client Enfold site. The attacker had used the actual user names to try and guess password. I am not showing the user names anywhere on the site and they are random BUT it seems there is a potential security weakness in the Enfold theme code, making the user names visible in the page html.

    When looking at the inspector for a couple of Enfold site where the only meta information I am choosing to display is post date, I can see the theme still generates the meta info (see picture). When “editing as html” I can see the user name displayed in plain text! See code below (I have replaced the real user name with the text “username” and the site url my “mysite.co.uk” for security reasons)

    <span class=”blog-author minor-meta”>by <span class=”entry-author-link”><span class=”vcard author”><span class=”fn”>username</span></span></span></span>

    Would you be able to comment and please raise this issue with Kriesi – There is little point in trying to protect user names by using random names on a WordPress site if the theme is going to make it available for anyone to see when they scan the page html !!

    Thanks in advance
    Hugues

    July 19, 2017 at 7:16 am #823698
    John Torvik

    Hey Hugues,

    To assist you with this issue, we’ll first need you to provide us with your URL. This is to ensure that we can provide you with a tailored answer to your situation. Once you have provided us with your URL, we will be happy to assist you with everything.

    Best regards,
    John Torvik

    July 19, 2017 at 12:24 pm #823906
    hugaud

    Hi John,
    Yes, of course url for the site where the user names had been “guessed” is attached in private content. I also include a example blog post and the you’ll see the user name in the html in the inspector although I opt not to display it on page.
    Hugues

    July 19, 2017 at 2:28 pm #823968
    Victoria

    Hi Hugues,

    On most blogs you see author names and links to their accounts. The other thing is that there has to be plugin or custom functionality the would block all the bruttforce attacks, block ips or any other way. Are you using Wordfence or the like?
    Plus you can use a plugin to enforce strong passwords.

    Best regards,
    Victoria

    • This reply was modified 7 years, 4 months ago by Victoria.
    July 19, 2017 at 5:45 pm #824086
    hugaud

    Hi Victoria,
    Thanks for your reply, yes of course I use WordFence to limit login attempts, which is what alerted me that bots were actively targeting the user name. My point was more for your developers, regarding the way the theme is coded: why show the user names in meta data in the html if the option to display it has been disabled.

    Have a look at the link I am attaching in private content, this is using another theme: GeneratePress by Tom Usborne, here if the option is chosen not to display author name then the html code for that meta element is simply not generated, hence no trace of user name is shown.

    Just a thought
    Hugues

    July 20, 2017 at 6:55 pm #824794
    Victoria

    Hi Hugues,

    I see what you mean. I will let them know. Thank you for bringing that up.

    Best regards,
    Victoria

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.