photo credit: darkday. via photopin cc

Prevent author sniffing on your WordPress site with NginX

Recently, a colleague of me attended me on some… security flaws in my WordPress website. He showed me a Linux Distro called ‘backbox‘ and a tool called ‘WPScan‘ in particular.
This tools allows you to scan any given WordPress site for vulnerabilities and/or exploits. One of the things it also does, is try to fetch you administrators’ username, making a brute-force attack easier, since you would ‘only’ have to guess the password from that point on.
What WPScan does is check what page your WordPress site returns if given the URL www.domain.com/?author=1 . WordPress’ default behaviour is to fetch user with ID=1 (which in 99% of the cases is the administrator), and checks which URL WordPress gives back (www.domain.com/author/admin/  for example).
While solutions to fix this ‘feature’ can be found for apache / .htaccess, I couldn’t find a fix for NginX. So I had to write my own:

Add this rule to your sites’ NginX configuration file and any request to guess your author by ID will result in a 403.

Visitors give this article an average rating of 4.7 out of 5.

How would you rate this article?

Leave a Reply