Preventing Username Enumeration on Your WordPress Site

This will prevent redirections from yoursite.com/?author={id} to yoursite.com/author/username.

Having username enumeration enabled on a WordPress website presents a significant security risk. It allows potential attackers to easily discover usernames through various methods, such as error messages or author archive pages. This information can then be used to attempt brute force attacks, targeting passwords associated with these usernames.

Disable Username Enumeration

By gathering a list of valid usernames, an attacker can focus their efforts more effectively, increasing the likelihood of unauthorized access.

Disabling username enumeration is a basic yet crucial step in hardening WordPress sites against such attacks, making it more difficult for attackers to gain the information they need to compromise the site.

Hackers will use this method to identify usernames on your website. By blocking this functionality and using custom usernames, you will make their attempts to log in to your website significantly more difficult.

Steps to Disable Username Enumeration on Your WordPress Site

  1. Modify the .htaccess File: Add the following lines to your .htaccess file to prevent access to URLs that reveal usernames:
    
        # Block access to author scans
        RewriteEngine On
        RewriteCond %{REQUEST_URI} ^/author/(.*)$ [NC]
        RewriteRule ^(.*)$ - [R=403,L]
    
  2. Use a Security Plugin: Install a security plugin such as Security Ninja that offers protection against username enumeration attacks. These plugins can help block common methods used by attackers to discover usernames.
  3. Create Custom Usernames: Avoid using predictable usernames such as “admin” or “administrator”. Instead, create unique usernames that are difficult to guess.
  4. Limit Login Attempts: Implement a plugin that limits the number of login attempts. This can help prevent brute force attacks by locking out users after a certain number of failed login attempts.
  5. Regularly Update WordPress: Ensure your WordPress installation, themes, and plugins are always up-to-date with the latest security patches. Regular updates are critical for maintaining the security of your site.

By following these steps, you can significantly reduce the risk of username enumeration and enhance the overall security of your WordPress site.

Was this helpful?