Skip to main content

How do I prevent user enumeration on my WordPress site?

WordPress leaks usernames in several ways. In truth there is no way to fully prevent user enumeration, particularly if your website makes use of authors pages. However, you can certainly reduce the attack surface and make user enumeration harder by following the below steps:

  • Disable the WordPress REST API if you are not using it,
  • Disable WordPress XML-RPC if you are not using it,
  • Configure your web server to block requests to /?author=<number>,
  • Don’t expose /wp-admin and /wp-login.php directly to the public Internet.