One of the most common findings in our scans is also one of the least talked about: user enumeration. Out of the box, a default WordPress install will reveal its usernames to anyone who asks — no login required.
How it happens
There are two main ways usernames leak:
- The REST API. Requesting
/wp-json/wp/v2/usersreturns a JSON list of authors, including each user'sslug— which is usually the login name. - The author archive redirect. Visiting
/?author=1redirects to/author/{username}/, exposing the login name for user ID 1 (often the administrator).
Either one gives an attacker something valuable: a confirmed, valid username.
Why it matters
A login attack needs two things — a username and a password. Most defenders focus entirely on passwords (length, complexity, rotation) and forget that the username is the other half. When your site publishes its usernames, you've handed attackers 50% of the puzzle for free.
It gets worse: enumeration often reveals which account is the administrator, so brute-force and credential-stuffing bots can aim their guesses precisely where a successful hit does the most damage.
How to fix it
The good news is this is quick to close. You can block the REST users endpoint, block the ?author= redirect, or — easiest of all — let a security plugin handle both with a single toggle. Our security guide walks through each method with copy-paste snippets.
If you'd rather have someone just take care of it, get in touch.