Alex over at Question-Defense posted an article in March about stopping WordPress User Enumeration. It turns out that in reality, he not only wanted a more formal patch for this vulnerability but I also knew of another user enumeration vulnerability in WordPress. After hanging out for a bit at Blackhat he and I decided to plop down and come up with a formal patch to address these vulnerabilities. If you want to read the full article on this post check out: Block WordPress User Enumeration, Secure WordPress Against Hacking Grab the patch after the fold:
How To Apply This Patch
In the off-chance that you have never used a *nix patch file I’ve added these instructions to help you apply the patch.
Download The wpuserEnum.patch file
First things first grab the wpuserEnum.patch file provided above and place it in your root WordPress directory (for example /home/user/public_html/ if your WordPress installation is the CMS installed at your website in a location like http://site.com).
SSH Into Your Server
In order to apply the wpuserEnum patch you will need access to a terminal which typically means having to SSH into your webserver. Once you have established an SSH connection to your webserver navigate to your root WordPress directory.
Eradicating User Enumeration Bugs For Fun And Profit
Now comes the moment we’ve all been waiting for: APPLYING THE PATCH!!!
Now this is very simple just run the following command:
patch -p0 < wpuserEnum.patch
If all succeeded you’ll be patched against these User Enumeration Vulnerabilities.
Thanks a lot to Alex(@dakykilla) for bringing this vulnerability to my attention.