Can I Prevent Enumeration of Usernames?

Can I prevent enumeration of usernames on my wordpress site? I can see users at the moment using the WPScan tool.


A simple solution I use in a .htaccess:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ - [L,R=403]

It is similar to @jptsetme’s answer, but it works even when the query string is /?dummy&author=5, and the search pattern for RewriteRule is very fast: You often see a capture ([0-9]*) in regular expressions for this. But there is no need to waste memory for the capture when you don’t use the captured expression, and a match for the first character is enough, because you don’t want to accept author=1b.

Update 20.04.2017

I’m seeing more “broken” requests from people who are even too stupid to run a simple scan. The requested URLs look like this:


So you could extend the rule above to:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} ^author=\d+ [NC,OR]
RewriteCond %{QUERY_STRING} ^author=\{num 
RewriteRule ^ - [L,R=403]

Leave a Comment