WordPress Security

How to Block WordPress User Enumeration Attacks

Learn how attackers enumerate WordPress usernames and how to block these techniques. Protect your admin usernames from discovery.

M
Marcus Johnson
5 min read
582 views
Blocking WordPress user enumeration

User enumeration is the process of discovering valid usernames on your WordPress site. Attackers use enumerated usernames for targeted brute force attacks. Blocking enumeration makes attacks significantly harder.

How User Enumeration Works

Author Archive Method

Visiting yoursite.com/?author=1 redirects to:

yoursite.com/author/admin/

The username "admin" is now exposed.

REST API Method

The endpoint /wp-json/wp/v2/users returns:

[{"id":1,"name":"Admin User","slug":"admin"...}]

All usernames exposed in JSON format.

Login Error Method

WordPress shows different errors for:

  • "Unknown username" - username doesn't exist
  • "Incorrect password" - username exists!

Attackers can test usernames without passwords.

oEmbed Method

oEmbed responses can contain author information.

Why Enumeration is Dangerous

Targeted Attacks

With known usernames, attackers can:

  • Focus brute force on valid accounts
  • Try common passwords for specific users
  • Attempt credential stuffing
  • Social engineer users directly

Reduced Attack Difficulty

Without enumeration, attackers must guess both username AND password. With enumeration, they only need the password.

Blocking Enumeration Techniques

Method 1: WP Folder Shield (Recommended)

  1. Navigate to WP Folder Shield > Settings
  2. Enable "Block User Enumeration"
  3. Save changes

Blocks all enumeration methods automatically.

Block Author Archive Method

if (is_admin()) return;
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) {
    wp_redirect(home_url());
    exit;
}

Block REST API User Endpoint

add_filter('rest_endpoints', function($endpoints) {
    unset($endpoints['/wp/v2/users']);
    return $endpoints;
});

Normalize Login Errors

add_filter('login_errors', function() {
    return 'Invalid credentials.';
});

What WP Folder Shield Blocks

  • Author archive parameter (?author=X)
  • REST API user endpoints
  • oEmbed author information
  • Login error information disclosure
  • User sitemap (if applicable)

Testing Your Protection

Test Author Archive

Visit: yoursite.com/?author=1

Should redirect to home or show 404, not author archive.

Test REST API

Visit: yoursite.com/wp-json/wp/v2/users

Should show error or empty response.

Test Login Errors

Try logging in with invalid username. Error should not confirm whether username exists.

Combine with Other Protections

User enumeration blocking works best with:

  • Strong passwords
  • Two-factor authentication
  • Login attempt limiting
  • Custom login URL

Get WP Folder Shield to block all user enumeration techniques and protect your admin accounts.

Share:
M
Written by Marcus Johnson

WP Folder Shield Team

Related Articles

SEO Spam Injection: How to Detect Hidden Links and Malicious Redirects
SEO Spam Injection: How to Detect Hidden Links and Malicious Redirects

Learn how hackers inject hidden links and malicious redirects into WordPress sites to steal your...

January 18, 2026
Understanding WordPress Malware Signatures and Detection Patterns
Understanding WordPress Malware Signatures and Detection Patterns

Learn how malware scanners detect threats using signatures and patterns. Understand the technology...

January 15, 2026
Country Blocking for WooCommerce: Protect Your Online Store
Country Blocking for WooCommerce: Protect Your Online Store

Learn how to implement country blocking for WooCommerce stores. Prevent fraud, reduce chargebacks...

January 10, 2026

Ready to Secure Your WordPress Site?

Get complete protection with WP Folder Shield.

Get Started