wordpress · Check
WordPress user enumeration via REST API — disabling /wp-json/wp/v2/users
GET `/wp-json/wp/v2/users` returned a JSON array containing `slug` fields. That endpoint leaks usernames (including admins) to anonymous callers, which is exactly what an attacker needs to focus brute-force and password-spray attacks on real accounts.
Why it matters
Username enumeration is the input to every credential attack: spraying common passwords, phishing real users, or compiling a target list for paste-dump correlation. Closing this endpoint removes a free reconnaissance gift.
Real-world risk
Username enumeration via /wp-json/wp/v2/users gives attackers a vetted list of admins and authors to target with credential stuffing, password spraying, and phishing.
Fix steps (in order)
- Require authentication for the users REST endpoint (a small mu-plugin or security plugin like Wordfence/iThemes can enforce this).
- Avoid using the same string for username and display name — even with the REST endpoint locked, slug-based enumeration via /?author=N can still work.
- Enable login rate limiting and lockouts (Limit Login Attempts Reloaded, Wordfence, or your WAF) so harvested usernames are less useful.
- Verify the endpoint is locked by running: curl -s https://your-site/wp-json/wp/v2/users
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (wp_user_enumeration) clears once the externally-observable signal is in place.