WordPress User Enumeration

Impact: Medium


User Enumeration occurs when web applications inadvertently reveal whether a username exists on the system, either due to misconfiguration or design decisions. Attackers exploit this by gathering a list of valid usernames to launch targeted attacks, such as brute force or default username and password attacks.


Block HTTP requests to /?author= and /wp-json/wp/v2/users/ URLs. You can use functions.php or .htaccess for this. The below snippet is a sample .htaccess code you can use to prevent WordPress user enumeration.

RewriteEngine on
RewriteCond %{QUERY_STRING} (author=\d+) [OR]
RewriteCond %{REQUEST_URI} /wp-json/wp/v2/users/
RewriteRule .* - [F]

You should also make sure your theme is not displaying usernames.

Another option is to use plugins available for blocking user enumerations.


Last updated on May 13, 2024

This issue is available in SmartScanner Professional

See Pricing