User enumeration: if you haven’t heard of it yet, now’s the time to learn. This common WordPress exploit is not extremely dangerous on its own but often serves as the first step for bad actors to gain unauthorized access to your WordPress website.
Through user enumeration vulnerabilities, people can gain access to a list of usernames on your site. From there, this often leads to brute force attacks and other types of attacks. Luckily, there are various ways to shut down user enumeration.
This article will walk you through all the ways to stop user enumeration and keep your site secure.
Table of contents
What is WordPress user enumeration?
WordPress user enumeration is a technique that allows bad actors to discover the usernames of user accounts on your website. That may not sound too serious – how much can someone do with just a username?
Quite a lot, it turns out, meaning it poses a significant risk. Brute force attacks, social engineering attacks, and taking advantage of password reuse to break into accounts are just some reasons why user enumeration can be a big problem.
By default, WordPress comes with several vulnerabilities that allow anyone to gain access to usernames on your site through simple URL manipulation or by abusing login forms. With this, anyone can figure out the username of your admin accounts or get a list of all users on your website.
The impact of user enumeration
Since user enumeration is considered a fairly non-severe threat – after all, all the bad actors get is usernames – you may be tempted to do nothing. But it’s definitely worth taking the time to reduce the risk, especially as it’s fairly easy to do.
Here’s how leaving user enumeration open to bad actors can negatively impact your website and your brand.
1: User privacy violation – Allowing bad actors to conduct user enumeration attacks on your website means leaving user information, and your own information, open to exposure. Even just exposing usernames can be considered a privacy breach, especially if these usernames are tied to real names, email addresses, or other identifiable information.
2: Brute force attacks – User enumeration provides the first step in a brute force attack. Once attackers have a list of valid usernames, they can systematically try various password combinations until they gain access to an account. This method can be highly effective, especially if users employ weak or commonly used passwords. Data theft is one concern, as is your admin account being compromised.
3: Social engineering attacks – With valid usernames in hand, attackers can also engage in social engineering attacks, tricking users into revealing sensitive information like their passwords. For example, attackers might send phishing emails that appear to come from your site, asking users to reset their passwords. The more personalized the attack, the more likely it is to succeed.
4: Credential stuffing attacks – Bad actors may use obtained usernames combined with previously leaked user credentials and use them to compromise accounts that reuse passwords.
5: Denial of Service attacks – If you’re using a login security plugin, this can be abused. Bad actors may sabotage accounts by purposefully spamming them with failed login attempts, locking users out of their accounts.
6: Damaged reputation – An open user enumeration vulnerability, especially if it results in breaches due to brute force and social engineering attacks, can severely damage your brand’s reputation. Users who feel unsafe will be less likely to engage with your website and content, and the reputational damage can be long-lasting.
With all this in mind, it’s clear why preventing user enumeration should be a priority.
User enumeration takes advantage of certain vulnerabilities within the WordPress platform. Let’s go into detail on how it works and how to stop it.
How to prevent user enumeration WordPress
There are many ways to protect your website from user enumeration. Since attackers can use various methods to enumerate users, you’ll need to take various actions in order to significantly reduce the risk.
Disable author archives
One of the simplest methods attackers use for user enumeration is leveraging author archives via URL manipulation. WordPress assigns a unique URL to each author, typically in the format yoursite.com/author/username. If they try a username and the page loads, they know they have a valid username.
Worse, there’s an even easier method. Every user on your site has a number associated with their username, and by appending ?author=1 to the end of the URL, this will redirect the page to the associated account.
There’s no need to guess usernames; just put in each number one by one.
Author archives are a good way to see all of an author’s posts for some websites and therefor can’t always be disabled. However, it isn’t necessary for all of them. For example, blogs with only one author or WordPress sites without a blog at all.
A simple, configuration-free security plugin can be used to stop bots from manipulating author archives and permalinks to find usernames: Disable Author Archives. Just install it through Plugins > Add New.
After that, you’re done. Now when anyone tries to get to an author archives page or use the ?author=1 URL exploit, they’ll see a 404 page.
Disable REST API user endpoints
The REST API is another area of concern. The WordPress REST API is a powerful feature that allows developers to interact with your site’s data using HTTP requests. However, this functionality can also be exploited for user enumeration.
The method is simple: just append /wp-json/wp/v2/users to the end of your website’s URL. This will return a JSON response containing all registered usernames. This makes it incredibly simple for bad actors to gather the information they need to launch targeted attacks.
With this, anyone can see a full list of users on your website, and it’s much faster than checking every integer one by one through author archives.
To fix this, you can install the Stop User Enumeration plugin through Plugins > Add New. Several settings are built into the plugin to block user enumeration, including blocking REST API user endpoints.
This is another very simple, plug-and-play plugin. You can check out the settings page through Settings > Stop User Enumeration, but everything starts ticked. Make sure Stop REST API User calls is checked.
Now when any user not logged in tries to access REST API user endpoints, they’ll see an error.
Disable WordPress XML-RPC
XML-RPC is a protocol built into WordPress that can sometimes be used for user enumeration and enabling brute force attacks. While it does have a use in some WordPress sites, many don’t use it at all, so it only serves as a vulnerability.
If your website doesn’t use XML-RPC, then it’s recommended to turn it off, and the easiest way to do so is with this plugin: Disable XML-RPC.
This plugin is so simple that it doesn’t even have an interface. Install it through Plugins > Add New to turn off XML-RPC, and disable it to turn it back on.
Remove login hints
The next step in stopping user enumeration is to lock down your login page. WordPress login forms are another common vector for user enumeration attacks on WordPress sites. Attackers can exploit the error messages on these forms to determine whether a username exists.
For example, if a login attempt with a non-existent username returns a message like “Invalid username,” it confirms that the username is not in the system. Conversely, if the message changes to “Incorrect password,” the attacker knows they’ve found a valid username.
We want to replace this with a more generic message that doesn’t reveal whether they guessed the username correctly or not.
You can create a simple code that will remove login hints and replace them with a generic error. Navigate to Tools > Theme File Editor and look for your theme’s functions.php. Paste this code in at the bottom, but replace it with your own error message if desired.
function generic_login_error(){
return ‘Login failed. Check your username and password.’;
}
add_filter( ‘login_errors’, ‘generic_login_error’ );
Now your login page is protected from user enumeration attempts.
Change the default login URL
Another thing you can do is change the login URL, which in WordPress is usually /wp-login.php. This way, no one will be able to try their user enumeration tricks in the first place. This also will stop a majority of brute force attacks, which can be a consequence of user enumeration.
You can do this by installing Melapress Login Security through Plugins > Add New, or by purchasing the premium plugin.
Once you have it installed, navigate to Login Security > Login page hardening. Look for Login page URL, and change it to a new URL. Try to make it something that no one could guess or recognize by seeing it, as it still may show up in your sitemap.
Use a web application firewall
Another way to stop user enumeration is to install a web application firewall configured to block bad bots.
Many user enumeration attempts originate from waves of bots looking for easy websites to hack, rather than targeted attempts by humans. A WAF will stop these bots from enumerating users in the first place, whatever method they may try to use.
There are many ways to get a WAF on your website, ranging from dedicated services like Wordfence to CDNs like Cloudflare which include web application firewalls as part of their platform.
Check your site with WPScan
Finally, WPScan is a popular tool used by WordPress security professionals and ethical hackers, used to scan WordPress sites for vulnerabilities including user enumeration.
There’s even a dedicated user enumeration command in WPScan, –enumerate u, which will try to compile a list of usernames from your site.
You can install WPScan CLI Scanner for free, or use the simplified WPScan plugin.
1: Install WPScan through Plugins > Add New.
2: Register an account to receive your API token. This allows 25 daily API request calls daily.
3: Navigate to WPScan > Settings and enter your token into WPScan API Token. Then click Save Changes.
4: Go to WPScan > Report and click Run All to scan your website. Or scroll down to Security Checks and run individual scans. The page will update and you’ll see a report of detected vulnerabilities.
WPScan is a great tool for identifying vulnerabilities, but though it’s illegal to use this way, it’s also commonly used by hackers to probe for weaknesses. If you can find a vulnerability using WPScan, then anyone else can too.
Protecting against risks caused by user enumeration
There’s a lot you can do to stop user enumeration, especially from automated attacks looking for WordPress websites that have taken little to no precautions.
But targeted attacks can be hard to stop, and your focus needs to shift to stopping the resultant brute force attacks and break-in attempts. Here’s what you can do.
1: Keep WordPress up to date – Running outdated WordPress core, themes, and plugins is basically the worst thing you can do. As WordPress gets more updates, it will continue patching vulnerabilities, including those that lead to user enumeration.
2: Limit login attempts – After a successful user enumeration, brute force attempts are often soon to follow. Melapress Login Security can help you limit login attempts and harden your login page in many other ways.
3: Use strong passwords and usernames – The best way to protect your users is to enforce strong passwords and usernames, which Melapress Login Security can also do.
4: Reset passwords periodically – A password expiration policy can prevent credential stuffing attacks from succeeding. Password reuse is less of a threat as users are forced to update their passwords frequently.
5: Set IP and time restrictions – Another feature of Melapress Login Security is the ability to lock down accounts. You can set IP restrictions, so users can only login from trusted devices, and login time restrictions to prevent anyone from using an account outside work hours.
6: Disable inactive users – The more users you have, the more attack vectors, especially if those users have heightened privileges. It can be a good idea to disable inactive user accounts after a period of time.
7: Enable two-factor authentication – WP 2FA can enable two-factor authentication, requiring all user accounts to have an extra point of security and preventing a majority of unwanted logins.
8: Implement CAPTCHA challenges – CAPTCHA challenges, which can be implemented through CAPTCHA 4 WP, will stop many bots from breaking in.
9: Protect against social engineering – Stopping phishing attacks, like fake password reset emails, that result from user enumeration can be tough. There’s no plugin you can install to stop it; you need to train yourself and any employees to be wary of the links they click on and how to identify suspicious emails.
10: Use an activity log plugin – It’s never a bad idea to have an activity log plugin. With this, you can keep a close eye on what your users are up to and identify any suspicious behavior. You can even set up customized reports to be sent to your email periodically.
Stop user enumeration
User enumeration may seem like a small problem, but it can lead directly to brute force attacks and result in your website being hacked. It’s important to do what you can to stop user enumeration, from disabling vulnerable REST API endpoints to hiding author archives.
Plugins like Melapress Login Security, WP 2FA, and CAPTCHA 4WP can both stop bots looking to exploit user enumeration in your login forms, plus prevent resultant brute force attacks and login attempts as a result. Protect your website from bad bots and stop the user enumeration exploit before it gets too far.