prevent user enumeration via /wp-json

theMiddleBlue · theMiddleBlue · commit f633889b668a · 2018-07-18T11:33:18.000+02:00
diff --git a/05-HARDENING.conf b/05-HARDENING.conf
@@ -63,7 +63,22 @@ SecRule tx:wprs_allow_user_enumeration "@eq 1" \
 
 SecMarker BEGIN_WPRS_USER_ENUMERATION
 
-SecRule REQUEST_URI "(author\=[0-9]+)" "phase:1,id:22200019,\
+SecRule REQUEST_URI "(author\=[0-9]+)" "phase:1,id:22200029,\
+  t:lowercase,t:urlDecode,t:trim,\
+  block,\
+  log,\
+  rev:'1',\
+  severity:'6',\
+  maturity:'9',\
+  accuracy:'9',\
+  capture,\
+  ver:'%{tx.wprs_version}',\
+  tag:'wordpress',\
+  tag:'enumeration',\
+  logdata:'Detected on %{TX:1}',\
+  msg:'WordPress: User enumeration'"
+
+SecRule REQUEST_FILENAME "^(/wp\-json/wp/v[0-9]+/users)" "phase:1,id:22200033,\
   t:lowercase,t:urlDecode,t:trim,\
   block,\
   log,\
