Stop User Enumeration – dxw advisories

Potentially unsafe

Last revised: January 4, 2017

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should very carefully consider its potential problems and should conduct a thorough assessment. Read more about this recommendation.

Warnings

The version of this plugin that this recommendation was based on is known to be vulnerable to attack:

Stop User Enumeration does not stop user enumeration

This recommendation applies to version 1.3.4 of this plugin, but the most recent version is 1.6.3. These findings may no longer be correct.

Findings

WordPress 4.7 includes an API for getting all users – this plugin does not block that
Attempts to block traditional user enumeration via /?author=1 (and similar POST requests) but fails

Reason for the 'Potentially unsafe' result

The plugin has been given this recommendation at the tester's discretion:

This plugin makes specific claims about the security it provides (“This plugin stops user enumeration dead”) but does not meet those claims