two-fa
2 months ago
vulnerabilities
2 months ago
block-code-execution-uploads.php
2 months ago
disable-xmlrpc.php
2 months ago
display-name-is-login-name.php
2 months ago
file-editing.php
2 months ago
hide-wp-version.php
2 months ago
index.php
2 months ago
prevent-login-info-leakage.php
2 months ago
rename-admin-user.php
2 months ago
rest-api.php
2 months ago
user-enumeration.php
2 months ago
user-registration.php
2 months ago
user-enumeration.php
83 lines
| 1 | <?php |
| 2 | defined('ABSPATH') or die(); |
| 3 | /** |
| 4 | * Prevent User Enumeration |
| 5 | * @return void |
| 6 | */ |
| 7 | function rsssl_check_user_enumeration() { |
| 8 | if ( ! is_user_logged_in() && isset( $_REQUEST['author'] ) ) { |
| 9 | if ( preg_match( '/\\d/', $_REQUEST['author'] ) > 0 ) { |
| 10 | wp_die( sprintf(__( 'forbidden - number in author name not allowed = %s', 'really-simple-ssl' ), esc_html( $_REQUEST['author'] ) ) ); |
| 11 | } |
| 12 | } |
| 13 | } |
| 14 | add_action('init', 'rsssl_check_user_enumeration'); |
| 15 | |
| 16 | /** |
| 17 | * @return bool |
| 18 | * Remove author from Yoast sitemap |
| 19 | */ |
| 20 | function rsssl_remove_author_from_yoast_sitemap( $users ) { |
| 21 | return false; |
| 22 | } |
| 23 | add_filter('wpseo_sitemap_exclude_author', 'rsssl_remove_author_from_yoast_sitemap', 10, 1 ); |
| 24 | |
| 25 | /** |
| 26 | * Prevent WP JSON API User Enumeration |
| 27 | * Return 401 Unauthorized |
| 28 | */ |
| 29 | if ( !is_user_logged_in() || !current_user_can('edit_posts') ) { |
| 30 | add_filter( 'rest_endpoints', function ( $endpoints ) { |
| 31 | if ( isset( $endpoints['/wp/v2/users'] ) ) { |
| 32 | // Save the original endpoint |
| 33 | $original_endpoint = $endpoints['/wp/v2/users']; |
| 34 | |
| 35 | // Override the GET callback |
| 36 | $endpoints['/wp/v2/users'][0]['callback'] = function() { |
| 37 | return new WP_Error( |
| 38 | 'rest_user_cannot_view', |
| 39 | __( 'Sorry, you are not allowed to access users without authentication.', 'really-simple-ssl' ), |
| 40 | array( 'status' => 401 ) |
| 41 | ); |
| 42 | }; |
| 43 | |
| 44 | // Preserve the original args and permission callback |
| 45 | $endpoints['/wp/v2/users'][0]['args'] = $original_endpoint[0]['args']; |
| 46 | $endpoints['/wp/v2/users'][0]['permission_callback'] = '__return_true'; |
| 47 | } |
| 48 | |
| 49 | if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) { |
| 50 | // Save the original endpoint |
| 51 | $original_endpoint = $endpoints['/wp/v2/users/(?P<id>[\d]+)']; |
| 52 | |
| 53 | // Override the GET callback |
| 54 | $endpoints['/wp/v2/users/(?P<id>[\d]+)'][0]['callback'] = function() { |
| 55 | return new WP_Error( |
| 56 | 'rest_user_cannot_view', |
| 57 | __( 'Sorry, you are not allowed to access user data without authentication.', 'really-simple-ssl' ), |
| 58 | array( 'status' => 401 ) |
| 59 | ); |
| 60 | }; |
| 61 | |
| 62 | // Preserve the original args and permission callback |
| 63 | $endpoints['/wp/v2/users/(?P<id>[\d]+)'][0]['args'] = $original_endpoint[0]['args']; |
| 64 | $endpoints['/wp/v2/users/(?P<id>[\d]+)'][0]['permission_callback'] = '__return_true'; |
| 65 | } |
| 66 | |
| 67 | return $endpoints; |
| 68 | } ); |
| 69 | } |
| 70 | |
| 71 | //prevent xml site map user enumeration |
| 72 | add_filter( |
| 73 | 'wp_sitemaps_add_provider', |
| 74 | function( $provider, $name ) { |
| 75 | if ( 'users' === $name ) { |
| 76 | return false; |
| 77 | } |
| 78 | |
| 79 | return $provider; |
| 80 | }, |
| 81 | 10, |
| 82 | 2 |
| 83 | ); |