• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Issue Wordpress Dataleak (UserNames and IDs)

LTUser

LTUser

Regular Pleskian
Excuse me, I do not find the right place to warn about it and it is not really a security leak.
Therefore delete the info or move it to the right place if necessary.

Test this:
https://(www.)yourdomain.tld/wp-json/wp/v2/users/

Do you get a page with UserNames and IDs

add this near Rewritebase / in your .htaccess
Code: 
RewriteCond %{REQUEST_URI} (wp-json|author)
RewriteRule ^(.*)$ https://www.yourdomain.tld [F,L]

The data leak also exists if the WordPress Toolkit and the
security check classify everything as "Safe".
 
I probably had too much trust in WP.
I didn't think that these barn doors were "worldreadable".

In the meantime, WP is being pushed by goggle at the expense of forums, so you have to pay more attention to your data now, especially in WP.
 
You must log in or register to reply here.

Similar threads

R
Resolved WP Toolkit/Wordpress Toolkit - older version screenshot issue
Replies
4
Views
4K
rhall
R
M
Resolved How do you get the last installed WordPress instance-id on the command line?
Replies
3
Views
2K
Maarten
M
E
Resolved Wordpress toolkit CLI, can't enable smart update from CLI
Replies
6
Views
3K
Peter Debik
P
Rene van Lieshout
Question WordPress Vulnerabilities -> No updates available
Replies
12
Views
7K
Tim_Wakeling
Tim_Wakeling
O
Issue .htaccess Expires Headers not working at all
Replies
3
Views
3K
MartinT
M
Back
Top