SecurityMedium

WordPress user enumeration

Your administrator login names are accessible via the /wp-json/wp/v2/users URL or by adding ?author=1 to your site address.

Why it matters

Knowing login names makes targeted brute-force attacks easier. An attacker only needs to find the corresponding password.

How to fix

  1. 1

    Block the users REST API endpoint

    php
    add_filter('rest_endpoints', function($endpoints) {
  if (isset($endpoints['/wp/v2/users'])) {
    unset($endpoints['/wp/v2/users']);
  }
  if (isset($endpoints['/wp/v2/users/(?P<id>[\d]+)'])) {
    unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
  }
  return $endpoints;
});
  2. 2

    Block the ?author=N redirect

    php
    add_action('template_redirect', function() {
  if (isset($_GET['author']) && !is_admin()) {
    wp_redirect(home_url('/'), 301);
    exit;
  }
});
  3. 3

    Use a plugin

    Stop User Enumeration, WPScan Blocker or iThemes Security handle both protections via a graphical interface.

Related articles

Securitywp-login.php exposed without protectionSecurityXML-RPC enabled on WordPress

Ready to fix this issue on your site?

Audit my site for free →