WordPress security is a game of layers. One of the most common ways attackers begin an assault on your site is through WordPress username enumeration. By identifying valid usernames, hackers are halfway toward a successful brute-force attack. If you have ever used a tool like WPScan, you know how easy it is for an automated script to reveal exactly who is registered on your site.

In this guide, you will learn why username enumeration happens, how to block it using server-level rules, and how to harden your WordPress configuration to keep your user list private.

Understanding WordPress Username Enumeration

By default, WordPress makes it very easy to find author information. This is intended to be a feature for themes and plugins, but it is frequently exploited. The most common method involves appending a query string to your URL, such as yourdomain.com/?author=1.

If your site uses "Pretty Permalinks," WordPress will typically issue a 301 redirect to the author's archive page, such as yourdomain.com/author/admin/. This immediately reveals the login username. Even if you don't use pretty permalinks, tools like WPScan can parse the page source or the site's RSS feed to find the string "posts by [username]."

While knowing a username doesn't mean your site is compromised, it removes the first barrier of defense. Preventing this disclosure is a critical step in a robust security strategy.

Method 1: Blocking Enumeration via .htaccess (Apache)

If your website runs on an Apache server, the most efficient way to block these requests is at the server level before WordPress even processes the query. This saves server resources and stops bots in their tracks.

Basic .htaccess Block

You can add the following rules to your .htaccess file to intercept any request containing the author query variable:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ - [L,R=403]

How it works: 1. The first line ensures that legitimate requests to the WordPress dashboard (/wp-admin) are not blocked. 2. The second line looks for the author variable followed by a digit (\d). This is more efficient than complex regex because it matches as soon as it sees a number. 3. The third line returns a 403 Forbidden status, telling the bot it doesn't have permission to access that resource.

Handling Advanced Bot Patterns

Some bots attempt to bypass simple filters by using different syntax or "broken" requests. To be more comprehensive, you can use this updated rule which covers variations like /?author={num:2}:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} ^author=\d+ [NC,OR]
RewriteCond %{QUERY_STRING} ^author=\{num 
RewriteRule ^ - [L,R=403]

Method 2: Disabling Author Archives via PHP

If you prefer to handle this within WordPress—or if you aren't comfortable editing server files—you can disable the author query variables entirely. This approach is highly effective because it removes the underlying resource from the WordPress query engine.

You can add this code to your theme's functions.php file or a custom functionality plugin:

if ( ! is_admin() ) {
    add_filter(
        'query_vars',
        function ( $public_query_vars ) {
            foreach ( array( 'author', 'author_name' ) as $var ) {
                $key = array_search( $var, $public_query_vars );
                if ( false !== $key ) {
                    unset( $public_query_vars[$key] );
                }
            }
            return $public_query_vars;
        }
    );
}

Note on SEO: This method will effectively disable all author archive pages on your site. If your site relies on these pages (for example, a multi-author blog where readers browse by writer), this might not be the best solution for you. However, for single-author sites or corporate blogs, it is an excellent security measure.

Method 3: Nginx and Managed Hosting (WP Engine)

For those using Nginx or managed hosts like WP Engine, you cannot use .htaccess files. Instead, you must use Nginx rewrite rules or the host's provided dashboard tools.

On Nginx, you would typically add a rule to your configuration block:

if ($query_string ~ "author=([0-9]*)") {
    return 301 /;
}

If you are on WP Engine, you can use their "Redirect Rules" section with the following settings:

  • Source: ^/$
  • Destination: /? (The ? ensures the query string is stripped)
  • Match args: author=([0-9]*)
  • Rewrite type: 301 Permanent

Best Practices for User Privacy

While blocking automated scans is helpful, you should also practice "Security through Obscurity" by separating your login name from your public display name.

  1. Change Your Nickname: Go to Users > Profile. Set a "Nickname" that is different from your username, and change the "Display name publicly as" dropdown to use that nickname.
  2. Avoid 'Admin': Never use the username "admin." If you currently have an account named admin, create a new administrator account with a unique name and delete the old one.
  3. Use 2FA: Even if a hacker discovers your username, Two-Factor Authentication (2FA) makes it nearly impossible for them to log in without your physical device.

Common Mistakes to Avoid

  • Blocking wp-admin: Always ensure your rules include a condition to ignore /wp-admin. If you don't, you might find yourself locked out of your own dashboard when performing certain administrative tasks.
  • Not Testing Redirects: When using a 301 redirect to block enumeration, ensure you add a ? at the end of the destination URL. Without it, the author=1 query might simply append itself to the new URL, continuing to disclose information.
  • Ignoring the REST API: Modern WordPress also discloses users via the REST API (/wp-json/wp/v2/users). While the methods above block URL-based enumeration, you should also consider using a security plugin (like Wordfence or Sucuri) to restrict REST API access to logged-in users.

Frequently Asked Questions

Does blocking username enumeration hurt my SEO?

Generally, no. Unless your site relies heavily on author archive pages for traffic, blocking these queries has no impact on your search engine rankings. Most single-author sites actually benefit from removing thin-content archive pages.

Is my site hacked if I see author scans in my logs?

No. Scans for ?author=1 are part of the "background noise" of the internet. Bots scan millions of sites daily looking for easy targets. Seeing these scans simply means your site is visible to the public.

Can I just use a plugin for this?

Yes. Most major security plugins have a toggle to "Disable Author Archives" or "Prevent Username Enumeration." This is a great choice if you aren't comfortable editing code or server configurations.

Wrapping Up

Preventing WordPress username enumeration is a simple yet effective way to harden your site against targeted attacks. Whether you choose to use a server-level .htaccess block, a PHP filter, or Nginx rules, you are making it significantly harder for bots to map out your site's vulnerabilities. Combine these technical blocks with strong passwords and 2FA to ensure your WordPress site remains a difficult target for hackers.