User enumeration is a technique attackers use to discover valid usernames on your WordPress site. Once they have usernames, they can launch targeted brute-force attacks. There are several vectors to protect against.
Vector 1: Author Archives (?author=N)
By default, visiting ?author=1 redirects to /author/admin/, revealing the username. Block this:
// Block author enumeration via URL
function block_author_enumeration() {
if (is_admin()) return;
if (isset($_REQUEST['author']) && is_numeric($_REQUEST['author'])) {
wp_redirect(home_url(), 301);
exit;
}
}
add_action('init', 'block_author_enumeration');Vector 2: REST API User Endpoint
The /wp-json/wp/v2/users endpoint lists all users. Disable it for unauthenticated requests:
add_filter('rest_endpoints', function($endpoints) {
if (!is_user_logged_in()) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
if (isset($endpoints['/wp/v2/users/(?P<id>[\d]+)'])) {
unset($endpoints['/wp/v2/users/(?P[\d]+)']);
}
}
return $endpoints;
}); Vector 3: Login Error Messages
WordPress shows different error messages for invalid usernames vs. wrong passwords. Unify them:
add_filter('login_errors', function() {
return 'Invalid username or password.';
});Vector 4: oEmbed Discovery
WordPress oEmbed responses can include author information:
remove_action('wp_head', 'wp_oembed_add_discovery_links');Verify with InspectWP
After implementing these measures, run a new InspectWP scan. The security section should show user enumeration as no longer possible.