Here’s an easy way to enumerate user names (using standard WP install): just use a URL like this: https://www.example.com/?user=1 . (Added Note: you might need to use an actual page/post URL, as in https://www.example.com/a-real-page?user=1 .) You’ll get back info about that user account (the first user account, which will be the admin-level user), and then you can start brute-forcing access. (In a WP install, the first user created is an admin-level user. So it is likely that the above URL will give you the admin’s user name.
And if you use xmlrpc.prg , which allows multiple requests on the same request, you can do it even faster.
Here’s how you prevent the user enumeration:
function redirect_to_home_if_author_parameter() {
$is_author_set = get_query_var( 'author', '' );
if ( $is_author_set != '' && !is_admin()) {
wp_redirect( home_url(), 301 );
exit;
}
}
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );
That will redirect any user enumeration requests (the URL I mentioned) unless you are already logged in as admin.
And, another precaution is to disable xmlrpc.prg. And to not have a user named ‘admin’ (or if you do, change it to a non-admin level).
Disable xmlrpc.prg (which has lots of opportunities for hacking your site) with this:
add_filter('xmlrpc_enabled', '__return_false');
Place both code fragments in your functions.php (preferably in your Child Theme). Or you can create a simple plugin with the above code.
More about the user enumeration problem in my blog here.