Code Snippets WordPress WordPress Security

How to Fix the Username Enumeration Vulnerability in WordPress

The vulnerability you’re facing is related to WordPress’ REST API endpoint /wp-json/wp/v2/users/, which allows anyone to enumerate usernames. This is known as Username Enumeration and can be exploited to discover valid usernames, making it easier for attackers to target specific accounts with brute-force or other types of attacks.


On Softstribe, when I run https://softstribe.com//wp-json/wp/v2/users/ ← this link, it was showing all the data of usernames which are registered in its database. We should not let the URL to be accessible publicly because it is going to display all the details of your users to hackers who specifically target sites which as open to Username Enumeration Vulnerability.

Steps to Fix the Username Enumeration Vulnerability

Disable REST API for Unauthorized Users

One of the most effective ways to prevent username enumeration via the REST API is to disable REST API access for non-authenticated users. You can do this by adding a code snippet to your theme’s functions.php file or using code snippets plugin.

Here’s a simple snippet to disable REST API access for non-authenticated users:

   add_filter('rest_authentication_errors', function ($result) {
       if (!empty($result)) {
           return $result;
       }
       if (!is_user_logged_in()) {
           return new WP_Error('rest_not_logged_in', 'You are not currently logged in.', array('status' => 401));
       }
       return $result;
   });

This code checks if a user is logged in before granting access to REST API endpoints.

Modify the REST API Response

If you want to keep the REST API open but obfuscate the response, you can modify the REST API’s user query to limit the information disclosed:

   add_filter('rest_endpoints', function ($endpoints) {
       if (isset($endpoints['/wp/v2/users'])) {
           unset($endpoints['/wp/v2/users']);
       }
       return $endpoints;
   });

This code snippet removes the /wp/v2/users endpoint from the REST API, preventing username enumeration through this endpoint.

  • Use Security Plugins:
    Security plugins like Wordfence, iThemes Security, or Sucuri Security offer settings that can disable REST API access for non-authenticated users or provide advanced options to mitigate various vulnerabilities, including username enumeration.
  • Rename the Default “admin” Username:
    Ensure your website does not use common usernames like “admin,” which is often the first target for brute-force attacks. Rename the default username to something less predictable.
  • Implement Strong Password Policies and Two-Factor Authentication (2FA):
    Even with restricted REST API access, it’s crucial to have strong password policies and implement 2FA for all user accounts, especially administrators.
  • Limit Login Attempts and Monitor Logs:
    Use plugins that limit login attempts and monitor your website’s access logs to identify any suspicious activity. This can help you block IPs attempting brute-force attacks.
  • Regularly Update WordPress and Plugins:
    Keeping your WordPress core, themes, and plugins updated is critical to mitigate vulnerabilities. Ensure that you regularly update all components of your site.

By implementing these steps, you can mitigate the username enumeration vulnerability and strengthen the security of your WordPress website.