Skip to content

Adam Greenwell

User Enumeration Protection

User Enumeration Protection prevents attackers from discovering valid usernames on your WordPress site. This security feature blocks multiple attack vectors that attackers commonly use to enumerate user accounts before launching targeted attacks.

Overview

What is User Enumeration?

User enumeration is a reconnaissance technique where attackers discover valid usernames on your site. Once attackers know which usernames exist, they can:

  • Launch targeted brute-force attacks against known accounts
  • Conduct social engineering attacks using real user information
  • Identify high-value targets (administrators, editors)
  • Build lists of valid accounts for credential stuffing

WordPress exposes usernames in many ways by default:

  • REST API: /wp-json/wp/v2/users returns user data
  • Author Archives: ?author=1 redirects to /author/username/
  • Login Errors: “Invalid username” vs “Incorrect password” reveals existence
  • Password Reset: Different messages for valid vs invalid emails
  • XML-RPC: Methods like wp.getAuthors return user lists
  • oEmbed: Author data included in embed responses

Guard Dog’s User Enumeration Protection blocks all these vectors while maintaining legitimate functionality for authorized users.

Key Benefits

  • Blocks all common enumeration vectors with a single feature
  • Configurable per-vector – enable only the protections you need
  • Role-based bypass – administrators can still access blocked endpoints
  • Comprehensive logging – track all enumeration attempts in Activity Log
  • Automatic IP blocking – block repeat offenders automatically
  • Alert notifications – receive immediate or digest alerts for attacks

How It Works

Protection Vectors

Guard Dog protects against seven common enumeration methods:

VectorAttack MethodProtection
REST API UsersAccess /wp-json/wp/v2/usersReturns empty array or 404
Author ArchivesRequest ?author=1Redirects to 404
Login ErrorsTry different usernamesGeneric “Invalid credentials” message
Password ResetSubmit different emailsGeneric “Check your email” message
XML-RPC UsersCall wp.getAuthorsMethods removed from API
oEmbedScrape embed dataAuthor info stripped from responses
RegistrationTry existing usernamesGeneric error messages

Attack Detection and Response

When an enumeration attempt is detected:

  1. Attempt is logged in the Activity Log with details
  2. If blocking is enabled for that vector, the attempt is blocked
  3. If auto-blocking is enabled, repeat offenders are added to IP blacklist
  4. If alerts are enabled, notifications are sent to administrators

Configuration

Navigate to Guard Dog → Login Security → User Enumeration Protection to configure:

Master Settings

Enable User Enumeration Protection:

  • Default: Disabled
  • Description: Master switch for the entire feature
  • Recommendation: Enable for all sites

Protection Vectors

Enable or disable protection for each enumeration vector:

REST API Users Endpoint:

  • Default: Enabled when feature is active
  • What it does: Blocks access to /wp-json/wp/v2/users
  • Note: Authenticated administrators bypass this block

Author Archives:

  • Default: Enabled when feature is active
  • What it does: Redirects ?author=N requests to 404
  • Note: Useful for single-author blogs; multi-author sites may disable

Login Error Messages:

  • Default: Enabled when feature is active
  • What it does: Returns generic “Invalid credentials” for all login failures
  • Note: Supersedes the separate Login Errors feature when enabled

Password Reset Messages:

  • Default: Enabled when feature is active
  • What it does: Returns “Check your email” regardless of email existence
  • Note: Legitimate users still receive reset emails normally

XML-RPC User Methods:

  • Default: Enabled when feature is active
  • What it does: Removes wp.getAuthors, wp.getUsers, wp.getUsersBlogs
  • Note: Only affects user-related methods; other XML-RPC functions unaffected

oEmbed Author Data:

  • Default: Enabled when feature is active
  • What it does: Strips author information from oEmbed responses
  • Note: Post content still embeds normally

Registration Errors:

  • Default: Enabled when feature is active
  • What it does: Generic error messages when username/email already exists
  • Note: Only relevant if site allows public registration

Bypass Settings

Roles That Bypass Protection:

  • Default: Administrator
  • Available Roles: Administrator, Editor, Author, Contributor, Subscriber
  • Purpose: Allow legitimate admin access to protected endpoints

When to add roles:

  • Add Editor if editors need REST API user access (e.g., for author dropdowns)
  • Add Author if authors need to see other authors
  • Keep minimal for best security

Auto-Block Settings

Enable Auto-Blocking:

  • Default: Enabled
  • Description: Automatically add IPs to blacklist after repeated attempts

Block Threshold:

  • Default: 20 attempts
  • Range: 5 – 100 attempts
  • Description: Number of attempts before IP is blocked

Time Window:

  • Default: 60 minutes
  • Range: 5 – 1440 minutes
  • Description: Time period for counting attempts

Block Duration:

  • Default: 1440 minutes (24 hours)
  • Range: 60 – 43200 minutes (1 hour to 30 days)
  • Description: How long blocked IPs remain on blacklist

Alert Notifications

Immediate Alerts

Send email notification when attack threshold is reached:

Enable Immediate Alerts:

  • Default: Disabled
  • Description: Send email immediately when threshold reached

Alert Threshold:

  • Default: 10 attempts
  • Description: Number of attempts to trigger alert

Time Window:

  • Default: 5 minutes
  • Description: Time period for counting attempts

Alert Email:

  • Default: Site admin email
  • Description: Email address for notifications

Cooldown Period:

  • Default: 60 minutes
  • Description: Minimum time between alerts (prevents flooding)

Digest Alerts

Receive periodic summaries of enumeration activity:

Enable Digest Alerts:

  • Default: Disabled
  • Description: Send periodic summary emails

Frequency:

  • Options: Daily, Weekly
  • Default: Weekly
  • Description: How often to send digest

Minimum Threshold:

  • Default: 50 attempts
  • Description: Minimum attempts required to send digest

Digest Email:

  • Default: Site admin email
  • Description: Email address for digest notifications

Activity Logging

All enumeration attempts are logged in the Activity Log:

Logged Information:

  • Vector – Which method was used (REST API, author archive, etc.)
  • Action – Whether attempt was blocked or just logged
  • IP Address – Source of the attempt
  • Request URL – Full URL that was requested
  • User Agent – Browser/tool identification
  • Referrer – Where the request came from
  • Geo Data – Country, city, ISP (if IP reputation is enabled)
  • Target User – Username attempted (for login/password reset)
  • Author ID – ID tried (for author archive attempts)

View logs in Guard Dog → Activity Log and filter by event type enumeration_attempt.

Common Use Cases

Single-Author Blog

Scenario: Personal blog with one author

Configuration:

  • Enable all protection vectors
  • Administrator bypass only
  • Enable auto-blocking (20 attempts/60 minutes)
  • Enable weekly digest for awareness

Multi-Author Publication

Scenario: News site or magazine with multiple authors

Configuration:

  • Enable most vectors except Author Archives (needed for author pages)
  • Add Editor to bypass roles (for managing author assignments)
  • Enable auto-blocking with higher threshold (50 attempts)
  • Enable immediate alerts for active monitoring

Membership Site

Scenario: Site with user registration

Configuration:

  • Enable all vectors including Registration errors
  • Keep only Administrator bypass
  • Aggressive auto-blocking (10 attempts/30 minutes)
  • Enable both immediate and digest alerts

WooCommerce Store

Scenario: E-commerce site with customer accounts

Configuration:

  • Enable all vectors
  • Administrator bypass only
  • Moderate auto-blocking (20 attempts/60 minutes)
  • Enable immediate alerts for active attack detection

Headless/Decoupled WordPress

Scenario: WordPress as API backend

Configuration:

  • Disable REST API blocking (needed for frontend)
  • Enable all other vectors
  • Add necessary API roles to bypass
  • Enable logging to monitor API usage

Security Considerations

No Information Leakage

Guard Dog’s protection methods don’t reveal that protection is active:

  • REST API: Returns empty array [] (looks like no users exist)
  • Author Archives: Returns 404 (looks like page doesn’t exist)
  • Login Errors: Same message whether user exists or not
  • Password Reset: Same message for valid and invalid emails

Defense in Depth

User enumeration protection works alongside other security features:

  • Limit Login Attempts – Prevents brute force even if usernames discovered
  • Two-Factor Authentication – Requires second factor even with valid credentials
  • IP Reputation – Blocks known malicious IPs before they can enumerate
  • Access Control – IP whitelisting limits who can access site

Integration with Existing Features

Login Errors Feature: When User Enumeration Protection is enabled with login error blocking, it supersedes the separate Login Errors feature.

Access Control Blacklist: Auto-blocked IPs are added to the existing IP blacklist managed by Access Control.

Troubleshooting

REST API Not Working

Symptom: WordPress admin features broken (Gutenberg, media uploads)

Cause: REST API blocking may be too aggressive

Solution:

  1. Ensure you’re logged in as Administrator
  2. Check Administrator is in bypass roles
  3. If still broken, disable REST API vector temporarily
  4. Check Activity Log for your IP being blocked

Author Pages 404

Symptom: Author archive pages return 404

Expected Behavior: This is the protection working

If you need author pages:

  1. Disable “Author Archives” vector
  2. Add Editor/Author to bypass roles if needed
  3. Still logged in Activity Log for monitoring

Users Can’t Reset Passwords

Symptom: Users report not receiving password reset emails

Check:

  1. Email system working? Test with other WordPress emails
  2. Email Provider configured correctly?
  3. Check spam folders

Note: The protection only affects the message shown, not actual email delivery. Valid users still receive reset emails.

Auto-Block Blocking Legitimate Users

Symptom: Legitimate users blocked from site

Solution:

  1. Check Guard Dog → Access Control for blocked IP
  2. Remove IP from blacklist
  3. Consider increasing auto-block threshold
  4. Add user’s IP to whitelist if needed

Too Many Alert Emails

Symptom: Receiving excessive immediate alert emails

Solutions:

  1. Increase cooldown period (e.g., 120 minutes)
  2. Increase alert threshold (e.g., 20 attempts)
  3. Switch to digest-only alerts
  4. Disable immediate alerts, rely on Activity Log

Best Practices

  1. Enable All Vectors Initially – Start with full protection, disable specific vectors only if needed
  2. Keep Bypass Roles Minimal – Only add roles that genuinely need access
  3. Configure Auto-Blocking – Essential for automatically handling repeat attackers
  4. Monitor Activity Log – Regular review helps identify patterns and adjust settings
  5. Use Digest Alerts – Weekly digest gives overview without email overload
  6. Combine with Other Features – Use alongside 2FA, login limiting, and access control
  7. Test After Configuration – Log out and verify protection works as expected
  8. Document for Users – If you disable certain vectors, document why for future reference

FAQ

Q: Will this break my site?
A: No. Protection only affects unauthenticated requests. Logged-in administrators bypass all blocks by default.

Q: Can attackers tell protection is active?
A: The protection is designed to be invisible. Blocked endpoints return realistic-looking responses (empty arrays, 404s, generic messages).

Q: Does this replace Limit Login Attempts?
A: No. User Enumeration Protection prevents username discovery. Limit Login Attempts prevents brute force attacks. Use both for best security.

Q: What if I use a headless WordPress setup?
A: Disable REST API blocking and add appropriate roles to bypass. Other protections still work.

Q: Will my authors lose their author pages?
A: Only if Author Archives blocking is enabled. You can disable just that vector to keep author pages.

Q: How do I know if it’s working?
A: Check the Activity Log for enumeration_attempt events. You can also test by logging out and trying protected endpoints.

Q: Can I block specific vectors only?
A: Yes. Each vector can be enabled or disabled independently while keeping the overall feature active.

Q: What’s the difference between immediate and digest alerts?
A: Immediate alerts notify you during an active attack. Digest alerts summarize activity over time. Use immediate for urgent response, digest for regular monitoring.

Back to Guard Dog Documentation Index →