So this is a bit of a long winded question and only partly Comet related but here goes…
On a new site I recently setup I decided to try out the All In One WP Security & Firewall plugin instead of my usual go-to, the security plugin from iThemes. All In One has some interesting features which have sent me lurking down a rabbit hole.
Among other things there are several levels/methods for blocking unwanted logins. This site was just launched a few weeks ago and my login was getting hit hundreds of times in a few hours.
Part of dealing with that is preventing exposure of usernames. There are two typical ways to grab user names; via the url like https://mydomain.com/?author=3 which will return the username for the user with that numeric ID.
That user enumeration can be turned off via the plugin but I then realized that Yoast SEO was also creating a authors list as part of the sitemap (based the WordPress archive URL). That can be turned off in the Yoast plugin but still, something is allowing names to leak. Initially the login page hits went to almost zero but after a few hours they started again on a new user name that was created after the above was turned off.
Realistically this is not so important as the passwords are strong and the IPs are automatically locked out for a month after 3 attempts, I could also move the login url but it has all made me really curious.
Searching the page source content of all the public pages and posts does not reveal the username so I don’t think the theme is exposing them and there are no author links or metadata being displayed (which would be immediately found on any page source view) and the WP database does not show usernames in any unexpected place so I’m back to analyzing the plugins to see if one of them might be revealing usernames or if it really is the theme or simply WordPress itself.
So my questions here are;
- what if anything does a caching program like Comet cache, besides all the publicly visible pages and posts and the media contained in those posts?
- is there some other standard WordPress call to probe/request user names? I don’t mean serious hacking as I doubt this site is being hit by such advanced bots.
The only plugins I have are:
Contact form 7
WP Maintenance Mode
Google recaptcha v3
Yoast was the obvious place to look as it is all about structured exposure but I ‘think’ those doors are closed.
Popup Maker is very clear that they do send data for usage analytics but it seems unlikely they would be exposing user names and none of the rest seem likely to be revealing user names either.
Then there is always reCaptcha v3… Do you think it might be exposing usernames?