User enumeration is a common technique used by attackers to identify usernames on WordPress sites. Once usernames are discovered, attackers can use brute-force or other hacking techniques to compromise accounts. Here’s how to secure your WordPress site against this vulnerability.

1. Limit Access to Sensitive Information

  • Disable the ability to view user details via URLs like ?author=1.
    Add the following code to your functions.php file:

    php
    add_action('template_redirect', function() {
    if (is_author()) {
    wp_redirect(home_url());
    exit;
    }
    });

2. Use Security Plugins

Install plugins like Wordfence or All In One WP Security to monitor and block suspicious activities. These plugins can detect and prevent user enumeration attempts.

3. Block User Enumeration via .htaccess

For Apache servers, use the following code in the .htaccess file to block requests targeting usernames:

apache
RewriteCond %{QUERY_STRING} ^.*(author=\d+).*$
RewriteRule ^(.*)$ /? [L,R=301]

4. Implement Strong Password Policies

Encourage all users to use strong passwords and enable two-factor authentication (2FA) to add an extra layer of security.

5. Monitor Logs for Suspicious Activity

Regularly review your website logs for unusual activity or repeated attempts to access user information.

6. Keep WordPress Updated

Always use the latest version of WordPress, plugins, and themes to ensure known vulnerabilities are patched.

By following these steps, you can significantly reduce the risk of user enumeration and keep your WordPress site secure.