- 1
Block author-scan redirects
Requests like /?author=1 redirect to the user's archive, leaking the login name. Block them in .htaccess:
RewriteCond %{QUERY_STRING} author=\d RewriteRule ^ - [F] - 2
Restrict the users REST endpoint
The REST API can list users publicly. Require authentication for the users endpoint via a filter:
add_filter( 'rest_endpoints', function ( $endpoints ) { unset( $endpoints['/wp/v2/users'] ); unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ); return $endpoints; } ); - 3
Use generic login errors
Don't reveal whether the username or password was wrong. Replace login errors with a single generic message.
add_filter( 'login_errors', function () { return 'Invalid credentials.'; } ); - 4
Never use 'admin' as a username
Create a fresh admin account with a non-obvious name and delete the default 'admin' user if it exists.
Related concept: Brute Force Attacks
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.