What is User Enumeration?

User Enumeration is a technique used by attackers to discover valid usernames on a WordPress system. While it does not grant direct access to the site, discovering legitimate usernames solves half the puzzle for a brute-force or credential-stuffing attack. WordPress native features, specifically the REST API, can inadvertently leak this user identity data if left completely unconfigured.

The REST API Leak Path

By default, the WordPress REST API exposes a public endpoint located at /wp-json/wp/v2/users. Anyone navigating to this URL can view a JSON feed containing public profiles, descriptions, and crucially, the exact login usernames of every author and administrator who has published content on the site. Attackers use automated tools to scrape this endpoint, generating a clean list of target accounts to launch high-speed password guessing scripts against.

Blocking REST API Enumeration

To prevent unauthorized scanning of your user base, restrict access to user data streams:

  • Block the Users Endpoint: Add custom PHP code to your site to disable the specific users endpoint for unauthenticated visitors. You can check if is_user_logged_in() is false and return a WP_Error object for /wp-json/wp/v2/users.

  • Enforce Authentication for REST API: Use a security plugin or filter to require authentication for all incoming REST API requests, ensuring that anonymous web traffic cannot access internal directory data.

  • Obfuscate Author Slugs: Use plugins to change author archive URLs so that they do not match the literal login usernames, separating public display names from backend account identifiers.