WordPress username enumeration
Description
WordPress installations with permalinks enabled expose a user enumeration vulnerability through the author archive feature. By iterating through sequential author ID parameters (e.g., /?author=1, /?author=2), attackers can systematically discover valid usernames on the site. Each valid user ID redirects to or displays an author archive page revealing the associated username or author alias, allowing complete enumeration of all user accounts that have published content.
Remediation
Implement multiple layers of defense to prevent username enumeration and protect user accounts:
1. Block Author Enumeration via .htaccess
Add the following rewrite rules to your .htaccess file to redirect author enumeration attempts:
# Prevent WordPress username enumeration
RewriteEngine On
RewriteCond %{QUERY_STRING} ^author=([0-9]+) [NC]
RewriteRule ^(.*)$ / [R=301,L]
2. Use Display Names Instead of Usernames
Configure all user accounts to use display names (nicknames) that differ from their login usernames. Navigate to Users → Profile and set a unique "Display name publicly as" value.
3. Implement Additional Security Measures
- Install a security plugin that blocks author enumeration attempts
- Enforce strong password policies for all user accounts
- Enable two-factor authentication (2FA) to protect against credential compromise
- Implement rate limiting to prevent automated brute-force attacks
- Monitor authentication logs for suspicious login attempts