Learn about Centmin Mod LEMP Stack today
Register Now

Wordpress wordpress stop user enumeration

Discussion in 'Blogs & CMS usage' started by hitman, Jun 28, 2016.

  1. hitman

    hitman Member

    126
    11
    18
    Jul 18, 2014
    Ratings:
    +15
    Local Time:
    1:05 PM
    hello,
    i would like to know if there is a way to stop user enumeration without using a plugin
    or which is the best way to do it

    thank you

     
  2. eva2000

    eva2000 Administrator Staff Member

    55,165
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:05 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    not entirely sure what you mean by user enumeration ?
     
  3. hitman

    hitman Member

    126
    11
    18
    Jul 18, 2014
    Ratings:
    +15
    Local Time:
    1:05 PM
  4. eva2000

    eva2000 Administrator Staff Member

    55,165
    12,249
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,825
    Local Time:
    8:05 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    i think that answers your question security - Can I Prevent Enumeration of Usernames? - WordPress Development Stack Exchange

    so you can't if you want wordpress friendly urls

    if you use centminmod 123.09beta01 wordpress install via centmin.sh menu option 22 you can sort of work around it for admin user as the installer gives you an option to set the admin displayed username which will be different from wp login username Wordpress Nginx Auto Installer (WP Super Cache). You can also change the display names manually via profile edits on wordpress.

    edit: also try in main root location / context of wordpress vhost add

    Code (Text):
    if ($args ~ "^author=\d") { return 403; }

    or 444 return error code as wpscan deems 403 as a valid code
    Code (Text):
    if ($args ~ "^author=\d") { return 444; }
     
    Last edited: Jun 29, 2016