Blocking WordPress Author Enumeration
Author enumeration is a reconnaissance technique attackers use to discover valid WordPress usernames before launching a brute force attack.
What is Author Enumeration?
WordPress has a built-in URL shortcut: https://yoursite.com/?author=1. Visiting this URL redirects to the author archive for the user with ID 1 — typically your main admin account. The redirect URL contains their username. Attackers iterate through ?author=1, ?author=2, and so on to collect all usernames on your site.
Once they have a valid username, a brute force attack only needs to crack the password — removing half the work.
How WP 1 Click LockDown Blocks Enumeration
When "Block ?author= enumeration" is enabled, any request containing the author parameter with a numeric value triggers an immediate 301 redirect to your homepage. The attacker sees no useful information — not even a 404 — and no usernames are revealed.
What About the REST API?
The WordPress REST API also exposes usernames at /wp-json/wp/v2/users. This is a separate attack vector. WP 1 Click LockDown covers this with the "Hide public REST /users/ endpoints" setting in the Hardening section (Single Site plan+).
Additional Username Protection
- Never use "admin" as a username — it is the first target in every brute force attack.
- Set your display name (name shown on posts) to something different from your login username.
- Use a strong, unique password and enable 2FA on all admin accounts.
Was this article helpful?
Need more help? Contact our support team →