WordPress User Enumeration Techniques and How to Fix Them

Last updated on

User enumeration refers to a technique that allows hackers to get the usernames that are registered on your website.

Once hacker identifies your username, they can use it to attempt a brute force attack against your login page until it gains access to your admin area.

In this article, I’ll show you techniques hackers used to find the username and quick ways to prevent user enumeration in WordPress.

WordPress Enumeration Techniques To Identify Username

Here are the most commonly used enumeration techniques by hackers to exploit your site.

Author Archives

Finding users by iterating through the author archives is a common technique that works in most versions of WordPress by default.

In WordPress, a unique user id is assigned to each username you create. This User ID is used by the application in the database and for referencing the user account.

By attempting to enumerate username from the author archives for each user id, an attacker can simply append an integer as a value to the parameter author.

An attacker can enter any number.


When this URL is requested, WordPress displays the associated author archive page, which displays all posts from the author whose ID is one.


An attacker now knows the correct admin username for your site, not good. Using this method, the attacker will be able to identify all the usernames by fuzzing the author parameter.

Unless you’ve taken explicit steps to prevent this type of user enumeration, your site is vulnerable to this exploit.

Login Error Messages

Another method that hackers will attempt is through the WordPress admin login page. By default, WordPress allows users to enter username and password combinations as many times as they want.

See also: How & Why To Limit Login Attempts in WordPress

If the username exists then the error message would reveal that the username is correct but the password is wrong.
WordPress Login Error Message
Similarly, if the guessed username is wrong, the error message would specify that the username does not exist.

Now, by using the brute force approach, an attacker can enumerate usernames based on error messages until your website cracks.

Unluckily, applying the first method, hackers just need to guess your admin password.

Post Meta Information

In some cases, the reason for the user enumeration lies in some theme vulnerability.

Theme templates files, sometimes, display the author name in post meta information, author-archive pages, or some other locations.

Here’s an example website.

Post Meta Information User Enumeration
Post Meta Information Leakage

As you hover over the Author’s name, you can see underneath revealing its username.

This isn’t good and should be disabled. This enables the hacker to fetch your username.

So, be careful in choosing a WordPress theme for your website.

See also: How To Remove Author Link in Avada WordPress Theme

How to Stop User Enumeration in WordPress?

There are plenty of ways to stop user enumeration. And we can go through each one of them below:

  • Use a plugin
  • Hide Login Hints
  • Add code snippet to the theme’s functions.php file
  • Add code snippet to site’s root .htaccess file

Use Stop User Enumeration Plugin

One of the best ways to stop user enumeration is by a plugin called Stop User Enumeration.

This is a very simple plugin that is well supported, popular, favorably rated, and easy to use.

Basically, it’s one of those plugins that just works.

There are no settings for this plugin, it’s simply a set it and forget it type of deal.

Before forgetting about it, however, we do want to check the plugin and verify that it’s working properly.

Now, return to your site home page and enter author=1. The author ID request should be denied by the plugin with a simple forbidden message.

Feel free to enter some other IDs and watch as they are all stopped.

Hiding Login Hints in WordPress

Another great way to battle this kind of threat is hiding login hints.

All you have to do is simply add the following code to your theme’s functions.php file.

function wpms_no_wordpress_hints(){
return 'Something is wrong!';
add_filter( 'login_errors', 'wpms_no_wordpress_hints' );

This code adds a custom message as a filter to the login errors. This will override default WordPress login errors.

See also: How To Remove The Login Shake Effect in WordPress

Now if someone enters an incorrect username and password, or email combinations, WordPress would simply show the error “Something is wrong” without giving any hints.
Hidden WordPress Hints

Code Snippet to the Theme’s functions.php File

To block user enumeration via functions.php, add the following code to your theme’s functions file:

if (!is_admin()) {
// default URL format
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
add_filter('redirect_canonical', 'wpms_check_enum', 10, 2);
function wpms_check_enum($redirect, $request) {
// permalink URL format
if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();
else return $redirect;

No editing is required for this to work, just copy/paste and done. Here’s how it works:

  1. Check if the request is for any page in the WP Admin Area
  2. Block the request if it’s for a query-string author archive

Code Snippet to Site’s Root .htaccess File

If you would rather block requests at the server level, you can add the following code to your site’s root .htaccess file:

# Block User ID Phishing Requests

RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* http://domain.com/? [L,R=302]

You need to change http://domain.com/ with your actual WordPress domain name.

Final Thoughts

WordPress Security is a constant battle for website owners.

Here, we’ve seen different ways to prevent the threat known as user enumeration which attackers use to obtain sensitive user information.

By installing a simple plugin and changing error messages, we’ve added another layer of security to help mitigate exploits and keep our WordPress site safe and secure. A simple code snippet has been added to the theme’s functions.php and .htaccess file for added security.

Hope you learn how to fix WordPress user Enumeration. Share your experience or any suggestion in the comment box below.

If you liked this article, then please subscribe to my YouTube Channel for WordPress video tutorials. You can also find me on LinkedInFacebook, and Twitter.

Our Most Popular Post Right Now!
Disclosure: Some of the links on this site are “affiliate links”, which allow me to earn a small referral payment if you choose to purchase the product or service.

7 Responses

  1. Hi Rod,

    Thanks for the tips!

    For the longest time, I am using the Avada theme. I haven’t noticed it exposed my username.

    I disabled the link now. Thankfully I came across this part here.

    Thanks once again, mate.

  2. Great article, Rod
    I probably should try one of these techniques soon. This is great to stay away from attackers. I’ve been a victim before and applying this might able to save me in the future. Keep it up.

  3. Hey, Rod, excellent tip as always. Will it be ok to use Yoast SEO to disable the author archives? Will this not give any issues?
    Once again, I’ll appreciate your help. Thanks

    1. Hello Sarah, thanks for dropping by. And yes, Yoast SEO is a great plugin and you can use it to disable the author archives. Also, I don’t see any issues with it.
      Just give it a try. Thanks

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recommended Book: WordPress All-in-One For Dummies
Subscribe to Blog via Email
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
This field is for validation purposes and should be left unchanged.

Don’t worry, we hate spam as much as you do.
Do you need help setting up WordPress?
I can help you with blog and site setup, full website build, performance & security, maintenance and support, and many more.
Recommended Web Hosting