medium risk

How to Stop User Enumeration in WordPress

User enumeration lets attackers discover valid usernames — through author archives (?author=1), the REST API (/wp-json/wp/v2/users), or login error messages. Once they have usernames, brute-forcing passwords is far easier.

  1. 1

    Block author-scan redirects

    Requests like /?author=1 redirect to the user's archive, leaking the login name. Block them in .htaccess:

    RewriteCond %{QUERY_STRING} author=\d
    RewriteRule ^ - [F]
  2. 2

    Restrict the users REST endpoint

    The REST API can list users publicly. Require authentication for the users endpoint via a filter:

    add_filter( 'rest_endpoints', function ( $endpoints ) {
      unset( $endpoints['/wp/v2/users'] );
      unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
      return $endpoints;
    } );
  3. 3

    Use generic login errors

    Don't reveal whether the username or password was wrong. Replace login errors with a single generic message.

    add_filter( 'login_errors', function () {
      return 'Invalid credentials.';
    } );
  4. 4

    Never use 'admin' as a username

    Create a fresh admin account with a non-obvious name and delete the default 'admin' user if it exists.

Related concept: Brute Force Attacks

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides