WordPress User enumeration

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP PC-C1 CAPEC-310 CWE-200 ISO27001-A.14.1.2 WASC-15 WSTG-INFO-09

User Enumeration is an attack, where an attacker thoroughly scans a web application to discover the login name of the WordPress based web application. User enumeration is a conventional technique used by the attackers to reveal the usernames of a WordPress based site. The attacker successfully exploits this vulnerability by executing bash commands. This attack is used as a previous step to brute-force password attacks. By stopping user enumeration, the application would be able to block this attack. This attack also allows to log IPs launching these attacks. It is possible to enumerate usernames along with admin username via the author archives during the WordPress installation. This method can be checked using many WordPress Security Testing tools.

This type of attack is possible on sites that haven’t renamed the admin account to something else. This step is a necessary and partially useful way to reduce the possibility of a successful brute force attack. A secure username and password are essential for securing the server.


Whenever a post is uploaded to a website, the username or alias name is shown to the public as an author. By applying modifications to the URL to create a custom URL. This URL will be used by the attacker to access information put by the user or author.


The above URL, when executed in the browser will show all the posts from the user with id=1. The attackers can use this functionality to find all the available usernames in the system.

Mitigation / Precaution

Beagle recommends rewriting .htaccess to prevent this disclosure. We also recommend using nicknames, as it can avoid disclosing usernames.

        # Stop WordPress username enumeration vulnerability
        RewriteCond %{REQUEST_URI}  ^/$
        RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
        RewriteRule ^(.*)$ http://yourwebsite.com/somepage/? [L,R=301]


If the application is running on a VPS or dedicated server, the attack IP will be logged. Beagle recommends using (optional additional configuration) fail2ban to block the attack directly at your server’s firewall. The fail2ban is a compelling solution for VPS owners, as it can stop brute force attacks as well as DDoS attacks.

Latest Articles