WordPress User Enumeration

Impact: Medium


Often, web applications reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, sometimes, when we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack. OWASP


Block HTTP requests to /?author= and /wp-json/wp/v2/users/ URLs. You can use functions.php or .htaccess for this. The below snippet is a sample .htaccess code you can use to prevent WordPress user enumeration.

RewriteEngine on
RewriteCond %{QUERY_STRING} (author=\d+) [OR]
RewriteCond %{REQUEST_URI} /wp-json/wp/v2/users/
RewriteRule .* - [F]

You should also make sure your theme is not displaying usernames.

Another option is to use plugins available for blocking user enumerations.


Last updated on February 15, 2021

This issue is available in SmartScanner Professional

See Pricing