There are several WordPress user enumeration methods that exist for listing information about WordPress users on a site publicly.
User enumeration is considered a security vulnerability and can be scanned with several security scanner tools like WP Scan (GitHub).
These are the current URL examples for WordPress user enumeration we are currently aware of in 2023:
- https://wp-bullet.com/?author=1
- https://wp-bullet.com/author/wpbullet
- https://wp-bullet.com/?author={num:1}
- https://wp-bullet.com/sitemap-users-1.xml
- https://wp-bullet.com/wp-json/wp/v2/users
Here is the nginx snippet collection for blocking WordPress user enumeration for the 5 methods listed above.
# WordPress User enumeration blocking author query string
if ($args ~* "^author=([0-9]+|{num:[0-9]+)") {
return 444;
}
# WordPress User Enumeration author page pretty link
if ($request_uri ~ "/author/") {
return 444;
}
# Block user enumeration sitemap - note that this covers the unicode version of - as %2d
if ($request_uri ~ "wp-sitemap-users-[0-9]+.xml") {
return 444;
}
# WordPress REST API User Enumeration
if ($request_uri ~ "/wp-json/wp/v2/users") {
return 444;
}
Now you can test the different URLs and you will get an error message like this if you are behind Cloudflare
Sources
StackExchange – Can I prevent Enumeration of Usernames
Prevent Enumeration of Usernames in nginx
WPMUDev – How to Prevent Enumeration of Usernames in nginx
Hackertarget – WordPress User Enumeration
Blocking WordPress User Enumeration on nginx
Server Logs Explained