Skip to content

Commit 598efcd

Browse files
developeregremdeveloperegrem
committed
bugfix rest detection
1 parent 501f710 commit 598efcd

File tree

2 files changed

+7
-7
lines changed

2 files changed

+7
-7
lines changed

wp-author-security/readme.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ Tags: security, user enumeration
44
Requires at least: 4.7
55
Tested up to: 5.3
66
Requires PHP: 5.6
7-
Stable tag: 1.0
7+
Stable tag: 1.1.1
88
License: GPLv3
99

1010
Protect against user enumeration attacks on author pages.

wp-author-security/wp-author-security.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
* Description: Protects against user enumeration attacks for author pages. By default, Wordpress will display some sensitive information on author pages. The author page is typically called by requesting the URI https://yourdomain.com/?author=<id> or with permalinks https://yourdomain.com/author/<username>. The page will include the full name (first and last name) as well as the username of the author which is used to login to Wordpress. In some cases, it is not wanted to expose this information to the public. An attacker is able to brute-force valid IDs or valid username. This information might be used for further attacks like social-engineering attacks or login brute-force attacks with gathered usernames. By using the extension, you are able to disable the author pages either completely or only for users that do not have any published posts yet. When the page is disabled the default 404 page not found is displayed.
55
* Author: mgm-sp
66
* Author URI: https://www.mgm-sp.com
7-
* Version: 1.1.0
7+
* Version: 1.1.1
88
* License: GPL3
99
* Plugin URI: https://github.com/mgm-sp/wp-author-security
1010
*/
@@ -68,13 +68,13 @@ function check_author_request() {
6868
*/
6969
function check_rest_api()
7070
{
71-
// check if protection is disabled for logged in user
72-
if( is_user_logged_in() && get_option('disableLoggedIn')) {
71+
if(!isEnabled()) {
7372
return;
7473
}
75-
$pattern = '/wp\/v2\/users/';
76-
$restRoute = $_REQUEST['rest_route'];
77-
if(isset($_REQUEST['rest_route']) && preg_match($pattern, $_REQUEST['rest_route']) ) {
74+
$pattern = '/wp\/v2\/users/i';
75+
$restRouteMatch = (isset($_REQUEST['rest_route']) && preg_match($pattern, $_REQUEST['rest_route']));
76+
$requestUriMatch = (isset($_SERVER['REQUEST_URI']) && preg_match($pattern, $_SERVER['REQUEST_URI']));
77+
if( $restRouteMatch || $requestUriMatch ) {
7878
if(get_option( 'disableRestUser' )) {
7979
display_404();
8080
}

0 commit comments

Comments
 (0)