How the WordPress administrator user name was leaked

WordPress Your administrator account is easy to access , Although I got the administrator account , It's not very useful , But it does not rule out that some white passwords are simple digital passwords . The attacker blew up or hit the library successfully , So as to obtain the background administrator account .

that . How the attacker got you Wordpress 【 Administrator user name 】 Of , And how to protect your administrator account from being obtained , This article will talk about ！！！

obtain

1、 First, let's talk about how the administrator's account is leaked

An attacker or an attacker program constructs :https://www.5uapk.com/wp-json/wp/v2/users/  Of URL Conduct GET, such 99% Will return a string of information , It contains your administrator account . as follows ：

1. [{"id":1,"name":"daniao","url":"","description":"","link":"https:\/\/daniao.com\/author\/daniao","slug":"daniao","avatar_urls":{"24":"https:\/\/cn.gravatar.com\/avatar\/28f745cefb1ad2da1747cdcfccc0ddfa?s=24&d=mm&r=g","48":"https:\/\/cn.gravatar.com\/avatar\/28f745cefb1ad2da1747cdcfccc0ddfa?s=48&d=mm&r=g","96":"https:\/\/cn.gravatar.com\/avatar\/28f745cefb1ad2da1747cdcfccc0ddfa?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/daniao.com\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/daniao.com\/wp-json\/wp\/v2\/users"}]}}]

The above information can be found ：daniao The administrator account , The truth has been hidden , This is just for demonstration .

2、 Confirm whether it is used wordpress Program

In fact, the above code has almost confirmed that you are using wp Procedure , Let me mention here ：

An attacker or an attacker program constructs  https://www.5uapk.com//wp-includes/wlwmanifest.xml  Of URL Conduct GET, To determine if you used Wordpress Program . And your background login address ！ You will get such feedback after typing . So it is very important to modify the background login address .

1. <manifest xmlns="http://schemas.microsoft.com/wlw/manifest/weblog">
2. <options>
3. <clientType>WordPress</clientType>
4. <supportsKeywords>Yes</supportsKeywords>
5. <supportsGetTags>Yes</supportsGetTags>
6. </options>
7. <weblog>
8. <serviceName>WordPress</serviceName>
9. <imageUrl>images/wlw/wp-icon.png</imageUrl>
10. <watermarkImageUrl>images/wlw/wp-watermark.png</watermarkImageUrl>
11. <homepageLinkText>View site</homepageLinkText>
12. <adminLinkText>Dashboard</adminLinkText>
13. <adminUrl>
14. <![CDATA[ {blog-postapi-url}/../wp-admin/ ]]>
15. </adminUrl>
16. <postEditingUrl>
17. <![CDATA[ {blog-postapi-url}/../wp-admin/post.php?action=edit&post={post-id} ]]>
18. </postEditingUrl>
19. </weblog>
20. <buttons>
21. <button>
22. <id>0</id>
23. <text>Manage Comments</text>
24. <imageUrl>images/wlw/wp-comments.png</imageUrl>
25. <clickUrl>
26. <![CDATA[ {blog-postapi-url}/../wp-admin/edit-comments.php ]]>
27. </clickUrl>
28. </button>
29. </buttons>
30. </manifest>

3、 Confirm your users id

Attackers can also construct < https://www.5uapk.com?author=1 //?author=2 //?author=3>  To confirm that your Administrator id, To match the above .

Protect

Now that I know , So how to protect , Keep looking down .

4、 Set access rights

1） Blocking access /wp-json/wp/v2/users/, If it's a pagoda , You can set the following code in the website configuration or pseudo static .

Here's the hidden content ！

Comment and refresh , To view

4） effect

Visit the above page at this time , Will be shielded . Pictured ：

5、 If you are a pagoda and have a professional firewall installed , You can also set it like this

Where access is prohibited url Add the following rule to ：

1. /wp-json/wp/v2/users
2. /wp-includes/wlwmanifest.xml

Visit at this time , The prompt of firewall interception will appear .

6、 Last

This is not a loophole , So don't be nervous , In fact, the little friend who paid a little attention to security had already modified a very strong password , Hidden login background , Disabled xmlrpc.php.

1） If you want to Ban xmlrpc.php, You can use nginx, The code is as follows , The placement is the same as above , Put in pseudo static settings .

1. location ^~ /xmlrpc.php { return 403; }

Whether to disable it according to your own needs , If an upgrade error occurs , Then you can delete or disable the code .

2） In fact, the administrator accounts of some topics are displayed in the article , It feels like this really is ……, We can do it in wp Set a nickname in the background , In this way, the article will show the nickname in the article .

3） You can pass the above URL Test your Wordpress Site . See if you can get sensitive information . If you are particularly sensitive , Just set the permissions .

Reprinted address ：http://www.5uapk.com/game/3047.html