1. The problem I’m having:
As a first time WordPress user, I’ve been confused by all the various security plugins and what they offer, so I’ve decided to see if some of the functionality could be included in the Caddyfile.
There’s the issue of user enumeration whereby attackers can find the WordPress usernames by looking at the JSON API or by running a check on blog authors. I’d like to run this code by you, to ensure it would work:
@disallowed {
path /xmlrpc.php
path *.sql
path /wp-content/uploads/*.php
path *wp/v2/users*
path /?author=*
}
The addition of the last two paths, I hope, would block all attempts to use the JSON API to discover usernames, and allow people to pull a list of blog authors.
In the link below, I think this would prevent most attempts (#1, #3 and #5 on the article), but I’m not sure it would help with the issues of case sensitivity (#4).
What do you think?
2. Error messages and/or full log output:
n/a
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
a. System environment:
Ubuntu 22.04.3.
b. Command:
n/a
c. Service/unit/compose file:
n/a
d. My complete Caddy config:
n/a
5. Links to relevant resources:
https://www.gosecure.net/blog/2021/03/16/6-ways-to-enumerate-wordpress-users/