If your business runs a WordPress website, then chances are that your website is potentially exposing user account names (also known as user enumeration). Hackers use clever malicious scripts to scan a website looking for usernames. With these usernames, they conduct brute force attacks on the website. To stop this type of attack, you must take steps to stop user enumeration. Read on to discover how to stop user enumeration on your WordPress website.

How to check your website

To see whether your website is exposing usernames, simply enter the following in your web browser:


Replace www.yourdomainname.com with the domain name for your website. WordPress uses a numbering system to track authorized users. In most cases, the user account with an ID of 1 belongs to the administrator.

When testing the website of Georgia State University, the website returns the name of the individual with an ID of 1 (Bart Nason). The login name for this person is bart.nason. Hackers now have one half of the username/password combination required to log in to their WordPress website.

Georgia State University

Some websites use themes that publish the usernames of post authors in plain view. For example, at the website of the Blogging Wizard, you can see the author’s name (Adam Connell). Hover your mouse over the author’s name and you see the username is adamc. If you append /?author=1 to their domain name, the website returns adamc. Again, with this information, hackers have one half of the username/password combination required to attack the website.

Blogging Wizard

How to stop user enumeration

To stop a website from displaying the post author’s name, select a theme that does not display the post author’s name. If you must use a theme the displays a post author’s name, use CSS or JavaScript to hide the author name element.

To block hackers from using the /?author= trick to get usernames, add this code to your functions.php file.

if (!is_admin()) {
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
add_filter('redirect_canonical', check_enum', 10, 2);

function check_enum($redirect, $request) {
if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();
else return $redirect;

What this code does is check to see if the visitor is an administrator. If the visitor is not an administrator, the code kills the request to display the author name.

Another way to block visitors from using the /?author= trick is to add this code to your .htaccess file.

<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} ^author=([0-9]*)
    RewriteRule .* http://www.domain.com/? [L,R=302]

Replace www.domain.com with your domain name.

Use a plugin

Another way to prevent your website from displaying usernames is to use a plugin. The Stop User Enumeration plugin detects and prevents attempts to scan your website for usernames. There are some additional settings available, but the default settings are enough for most websites.

With WordPress hacking attempts rising, understanding how WordPress works and taking steps to prevent your website from displaying usernames goes a long way in preventing brute force attacks. Ensure that you check your WordPress website for user enumeration vulnerabilities. Lock down your WordPress website to keep hackers out.

Need help with user enumeration?

Let’s chat!

Feel free to share this post.