攻击者是这样拿到你的Wordpress 【管理员用户名】的！！

lop

http://你的域名/wp-json/wp/v2/users/


我刚刚在各位MJJ的签名站点测试了一下。

约90% 的站点都可以看到管理员用户名


虽然作用不大。但是敏感信息的爆漏还是不太爽

我遇到的一次攻击的具体分析：

https://www.izcv.com/2691.html
（大佬轻点，小站扛不住）

pulpfunction

admin 不怕
密码 我都不知道

风为裳

太感谢楼主了，我终于找到我博客的用户名了！

Sooele

/batch/v1
/oembed/1.0
/oembed/1.0/embed
/oembed/1.0/proxy
/akismet/v1
/akismet/v1/key
/akismet/v1/settings
/akismet/v1/stats
/akismet/v1/stats/(?P<interval>[\w+])
/akismet/v1/alert
/jetpack/v4
/jetpack/v4/plans
/jetpack/v4/products
/jetpack/v4/marketing/survey
/jetpack/v4/jitm
/jetpack/v4/connection/test
/jetpack/v4/connection/test-wpcom
/jetpack/v4/rewind
/jetpack/v4/scan
/jetpack/v4/connection/url
/jetpack/v4/connection/data
/jetpack/v4/connection/register
/jetpack/v4/connection/owner
/jetpack/v4/tracking/settings
/jetpack/v4/connection
/jetpack/v4/connection/user
/jetpack/v4/site
/jetpack/v4/site/features
/jetpack/v4/site/products
/jetpack/v4/site/purchases
/jetpack/v4/site/benefits
/jetpack/v4/site/activity
/jetpack/v4/identity-crisis/confirm-safe-mode
/jetpack/v4/identity-crisis/start-fresh
/jetpack/v4/identity-crisis/migrate
/jetpack/v4/module/all
/jetpack/v4/module/all/active
/jetpack/v4/module/(?P<slug>[a-z\-]+)
/jetpack/v4/module/(?P<slug>[a-z\-]+)/active
/jetpack/v4/module/(?P<slug>[a-z\-]+)/data
/jetpack/v4/module/(?P<service>[a-z\-]+)/key/check
/jetpack/v4/settings
/jetpack/v4/settings/(?P<slug>[a-z\-]+)
/jetpack/v4/options/(?P<options>[a-z\-]+)
/jetpack/v4/updates/plugins
/jetpack/v4/notice/(?P<notice>[a-z\-_]+)
/jetpack/v4/plugins
/jetpack/v4/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
/jetpack/v4/plugins/akismet/activate
/jetpack/v4/plugin/(?P<plugin>[a-z\/\.\-_]+)
/jetpack/v4/widgets/(?P<id>[0-9a-z\-_]+)
/jetpack/v4/verify-site/(?P<service>[a-z\-_]+)
/jetpack/v4/verify-site/(?P<service>[a-z\-_]+)/(?<keyring_id>[0-9]+)
/jetpack/v4/service-api-keys/(?P<service>[a-z\-_]+)
/jetpack/v4/mobile/send-login-email
/jetpack/v4/setup/questionnaire
/jetpack/v4/licensing/error
/jetpack/v4/jetpack_crm
/jetpack/v4/verify_xmlrpc_error
/jetpack/v4/remote_authorize
/jetpack/v4/connection/plugins
/jetpack/v4/connection/reconnect
/wpcom/v2
/wpcom/v2/business-hours/localized-week
/wpcom/v2/admin-menu
/wpcom/v2/external-media/list/(?P<service>google_photos|pexels)
/wpcom/v2/external-media/copy/(?P<service>google_photos|pexels)
/wpcom/v2/external-media/connection/(?P<service>google_photos)
/wpcom/v2/instagram-gallery/connect-url
/wpcom/v2/instagram-gallery/connections
/wpcom/v2/instagram-gallery/gallery
/wpcom/v2/mailchimp
/wpcom/v2/mailchimp/groups
/wpcom/v2/podcast-player
/wpcom/v2/resolve-redirect/?(?P<url>.+)?
/wpcom/v2/search
/wpcom/v2/tweetstorm/gather
/wpcom/v2/tweetstorm/parse
/wpcom/v2/tweetstorm/generate-cards
/wpcom/v2/gutenberg/available-extensions
/wpcom/v2/hello
/wpcom/v2/memberships/status
/wpcom/v2/memberships/product
/wpcom/v2/memberships/products
/wpcom/v2/publicize/connections
/wpcom/v2/publicize/connection-test-results
/wpcom/v2/publicize/services
/wpcom/v2/service-api-keys/(?P<service>[a-z\-_]+)
/wpcom/v2/subscribers/count
/jetpack/v4/hints
/wp/v2
/wp/v2/posts
/wp/v2/posts/(?P<id>[\d]+)
/wp/v2/posts/(?P<parent>[\d]+)/revisions
/wp/v2/posts/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
/wp/v2/posts/(?P<id>[\d]+)/autosaves
/wp/v2/posts/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/pages
/wp/v2/pages/(?P<id>[\d]+)
/wp/v2/pages/(?P<parent>[\d]+)/revisions
/wp/v2/pages/(?P<parent>[\d]+)/revisions/(?P<id>[\d]+)
/wp/v2/pages/(?P<id>[\d]+)/autosaves
/wp/v2/pages/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/media
/wp/v2/media/(?P<id>[\d]+)
/wp/v2/media/(?P<id>[\d]+)/post-process
/wp/v2/media/(?P<id>[\d]+)/edit
/wp/v2/blocks
/wp/v2/blocks/(?P<id>[\d]+)
/wp/v2/blocks/(?P<id>[\d]+)/autosaves
/wp/v2/blocks/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/feedback
/wp/v2/feedback/(?P<id>[\d]+)
/wp/v2/feedback/(?P<id>[\d]+)/autosaves
/wp/v2/feedback/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/jp_pay_order
/wp/v2/jp_pay_order/(?P<id>[\d]+)
/wp/v2/jp_pay_order/(?P<id>[\d]+)/autosaves
/wp/v2/jp_pay_order/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/jp_pay_product
/wp/v2/jp_pay_product/(?P<id>[\d]+)
/wp/v2/jp_pay_product/(?P<id>[\d]+)/autosaves
/wp/v2/jp_pay_product/(?P<parent>[\d]+)/autosaves/(?P<id>[\d]+)
/wp/v2/types
/wp/v2/types/(?P<type>[\w-]+)
/wp/v2/statuses
/wp/v2/statuses/(?P<status>[\w-]+)
/wp/v2/taxonomies
/wp/v2/taxonomies/(?P<taxonomy>[\w-]+)
/wp/v2/categories
/wp/v2/categories/(?P<id>[\d]+)
/wp/v2/tags
/wp/v2/tags/(?P<id>[\d]+)
/wp/v2/users
/wp/v2/users/(?P<id>[\d]+)
/wp/v2/users/me
/wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords
/wp/v2/users/(?P<user_id>(?:[\d]+|me))/application-passwords/(?P<uuid>[\w\-]+)
/wp/v2/comments
/wp/v2/comments/(?P<id>[\d]+)
/wp/v2/search
/wp/v2/block-renderer/(?P<name>[a-z0-9-]+/[a-z0-9-]+)
/wp/v2/block-types
/wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)
/wp/v2/block-types/(?P<namespace>[a-zA-Z0-9_-]+)/(?P<name>[a-zA-Z0-9_-]+)
/wp/v2/settings
/wp/v2/themes
/wp/v2/plugins
/wp/v2/plugins/(?P<plugin>[^.\/]+(?:\/[^.\/]+)?)
/wp/v2/block-directory/search
/wp-site-health/v1
/wp-site-health/v1/tests/background-updates
/wp-site-health/v1/tests/loopback-requests
/wp-site-health/v1/tests/dotorg-communication
/wp-site-health/v1/tests/authorization-header
/wp-site-health/v1/directory-sizes


我可以提供一套类似的给你。就看你能力了！

wang3y2

在当前主题目录的functions.php文件里添加以下代码：

1. // 在账号未登录时禁用wp-json/wp/v2/，防止泄露信息
   
2. add_filter( 'rest_authentication_errors', function( $result ) {
   
3.     if ( ! empty( $result ) ) {
   
4.         return $result;
   
5.     }
   
6.     if ( ! is_user_logged_in() ) {
   
7.         return new WP_Error( 'Access denied', 'You have no permission to handle it.', array( 'status' => 401 ) );
   
8.     }
   
9.     return $result;
   
10. });

复制代码

allen314

那么怎么屏蔽这个呢，哪位大佬来说说

sanquanjun

万年用admin

全球主机云

没事我又不是在重要人物

intro

好厉害啊

reizhi

好的吧，还真的可以
但是并没有什么鸟必要，我博客名就是登录用户名

cicvc

的确有点厉害

chinayang

我的防火墙也经常拦截到一些莫名其妙的攻击，不知道是干嘛的

Stellvia

404 Not Found
nginx

月の天使

厉害，改了名毫无用处