WordPress User Enumeration
Description
Often, web applications reveal when a username exists on system, either as a consequence of mis-configuration or as a design decision. For example, sometimes, when we submit wrong credentials, we receive a message that states that either the username is present on the system or the provided password is wrong. The information obtained can be used by an attacker to gain a list of users on system. This information can be used to attack the web application, for example, through a brute force or default username and password attack. OWASP
Recommendation
Block HTTP requests to /?author= and /wp-json/wp/v2/users/ URLs. You can use functions.php or .htaccess for this.
The below snippet is a sample .htaccess code you can use to prevent WordPress user enumeration.
RewriteEngine on
RewriteCond %{QUERY_STRING} (author=\d+) [OR]
RewriteCond %{REQUEST_URI} /wp-json/wp/v2/users/
RewriteRule .* - [F]
You should also make sure your theme is not displaying usernames.
Another option is to use plugins available for blocking user enumerations.
References
- OWASP: Testing for Account Enumeration and Guessable User Account
- WordPress
- CWE-200
- OWASP 2007-A6
- OWASP 2021-A1