WordPress powers over 40% of the web, making it a lucrative target for attackers. User enumeration in WordPress is a potential vulnerability that attackers can exploit to gain insights into a website’s user accounts. While it may seem harmless at first glance, it can serve as a precursor to more severe attacks, such as brute-force login attempts.
User enumeration occurs when attackers can determine valid usernames registered on a WordPress
site. Typically, attackers probe a site by interacting with login forms, author archives or APIs
to extract usernames. These usernames can then be used in targeted brute-force attacks to guess
passwords or compromise accounts.
For example:
Accessing the /?author=1 URL on some WordPress sites might redirect the attacker to a page like
/author/admin, revealing the username admin.
Sending crafted login requests may produce different error messages for valid and invalid
usernames.