Prevent User Enumeration Attacks

This plugin prevent the two sources of user enumeration attack, the backward compatibility to old URL formats, and trying to be nice to user by giving a detailed error messages at the login page

Not sure what is a user enumeration attack? Usually an attacker needs to figure out two items of information, the user name and the password. If he doesn’t know the user name, it is like the real password that faces him is the combination of the user name and password which is stronger then the password by itself.
The goal of the user enumeration attack is to figure out what users name represent actual users in the system in order for the hacker to just focus on them.

The user enumeration attack resulting from the backward compatibility is very simple.  Non “pretty permalinks” WordPress is using the scheme of {site name}?author=n to identify the page in which the recent posts of an author with id number n. When switched to a “pretty permalink” the URL of that page changes to {site name}/author/{user name} and anyone who accesses the old format is automatically redirected to the new URL.

This means that an attacker can access the address {site name}?author=1 and learn for the URL to which he was redirected the user name of the user with an id 1.

The plugin solves this issue by redirecting the non pretty permalink style URLs to the home page instead of the corresponding URL in the pretty permalink format. This means that you should not use this plugin if you have any significant traffic to URLs in the format of {site name}?author=n, which usually you will not have at all, especially if you set up pretty permalink early in the life of the site

The attack on the login page utilizes a very literal and helpful error message presented to the user when he fails to login and tries to reset his password. A error associated with the failure to login is detail enough to say if the user name is right and just the password is wrong, which exposes the user name. The messages associated with the password reset indicate when a reset email was sent and when it wasn’t because the user doesn’t exist.

The plugin solves those issues by

  1. Give a very general message when login fail, something like “the user or password are wrong”
  2. Force the password reset mechanism to use only email address.

Obviously both changes hurt somewhat the UX, but I can’t believe there is any user that is more likely to remember his user name than his password.


None, works out of the box without any need of configuration


wordpress 3.9 and above, both for standalone and multisite/network.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment policy

We are not going to share your e-mail with anyone else, but we might send you answers to your questions directly to your email.