Stop User Enumeration


Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names.

User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this initial attack and allows you to log IPs launching these attacks to block further attacks in the future.

If you are on a VPS or dedicated server, as the attack IP is logged, you can use (optional additional configuration) fail2ban to block the attack directly at your server’s firewall, a very powerful solution for VPS owners to stop brute force attacks as well as DDoS attacks.

If you don’t have access to install fail2ban ( e.g. on a Shared Host ) you can still use this plugin.

The plugin can stop the user id being leaked by the oEmbed API call.

Since WordPress 4.5 user data can also be obtained by API calls without logging in, this is a WordPress feature, but if you don’t need it to get user data, this
plugin will restrict and log that too.

Since WordPress 5.5 sitemaps are generated by core WP ( wp-sitemap.xml ) which includes a user/author sitemap that exposes the user id. You can enable / disable this in the plugin settings.


This section describes how to install the plugin and get it working.

Either using the dashboard ‘Add Plugin’ feature to find, install and activate the plugin, or
1. Download and the plugin from the download link
2. Upload the entire stop-user-enumeration directory to your website’s /wp-contents/plugins/stop-user-enumeration using a file manager or FTP
3. Activate the plugin through the Plugins menu


It doesn’t seem to work!

Are you logged in? This plugin won’t do anything for logged in users, it only works when you are logged out. This is the way it is designed. A common mistake is to install the plugin and test it, while still logged in as admin.

It my user name still seems to be leaked!

Themes and xml feeds will include your user ‘Display Name’. If you do not specify any name details or nick name, the ‘Display Name’ will default to your user name. Make sure your Display Name is always set NOT to your user name or it will be leaked in multiple places.

Are there any settings?

Yes, but the default ones are fine for most cases

This doesn’t work with PHP 5.2!

This plugin does not support PHP 5.2. PHP 5.2 is very old and you really need to sort out your hosting, running version of software way past its supported end of life is a security risk.

Will it work on Multisite?


Why don’t I just block with .htaccess

A .htaccess solution is insufficient for several reasons, but most published posts on the subject do not cover POST blocking, REST API blocking and inadvertently block admin users access. And don’t log the IP to a firewall, the major benefit!

Does it break anything?

If a comment is left by someone just giving a number that comment would be forbidden, as it is assume a hack attempt, but the plugin has a bit of code that strips out numbers from comment author names

Do I need fail2ban for this to work?

No, but fail2ban will allow you to block IP addresses at your VPS / Dedicated server firewall that attempt user enumeration.

What is the fail2ban config?

An fail2ban config file, wordpress-userenum.conf is found in the plugin directory stop-user-enumeration/fail2ban/filter.d

What needs to go in the fail2ban jail.local?

An example jail.local is found in plugin directory stop-user-enumeration/fail2ban


7 oktober 2021
Super helpful plugin! Not only does it work with direct enumeration hijacking, but also helps block any malicious API calls, and hides WP's own wp-sitemap.xml user/author data. For advanced setups it also comes with fail2ban support. Combine it with a hide default wp-admin page plugin, and you can start feeling a little safer.
13 juli 2021
Thanks to the creator. There was a massive drop in my daily targeted hacking attempts since I installed this. They still try, but less. I only wish I installed this a long time ago, because they were able to get some of my personal information (such as the email I use to login to WP). Thanks again..
8 oktober 2019
Works like a champ on my server where I host 4 independent WP installs. I had to install the plugin to all of the WP installs. A couple of hours later fail2ban was full of bad-guys IPs trying to enumerate users. I prefer such plugins that do one thing and do it well instead of some bloated plugins. One might want to change the provided fail2ban jail, 7 days ban might be a lot for some.
21 juni 2018
This plugin is easy to install and set-up; however, it is not obvious that it is working as expected when you look at your website on the back-end... You have to log out and then go to http(s)://<>/?author=1 And if the page that comes up says something like "forbidden page" then the plugin is working! And it is working for all author numbers, so you do not have to repeat the test for "author=2", etc. Also, even if this plugin is doing its job your theme may be allowing the information (that the plugin protects) to show through anyway. In that case reach out to your theme author for help with that, but keep this plugin active. Support is very thorough and detailed in the responses - very happy with that!
Lees alle 16 beoordelingen

Bijdragers & ontwikkelaars

“Stop User Enumeration” is open source software. De volgende personen hebben bijgedragen aan deze plugin.


Vertaal “Stop User Enumeration” naar jouw taal.

Interesse in ontwikkeling?

Bekijk de code, haal de SVN repository op, of abonneer je op het ontwikkellog via RSS.



  • be case insensitive when checking REST API


  • Upgrade to version 1.3.30 to disable author site maps – you will need to enable in settings (closes issue #6)


  • option to remove author site maps


  • Minor javascript fix
  • better IP detection for proxies


  • Library update


  • Removed console issue when no comments turned on


  • Updated library


  • Removed link


  • Changed settings page


  • Removed donate link


  • Moved support link to settings page to reduce menu clutter
  • Updated Freemius library to 2.3.0


  • Changed menu name and support link


  • minor improvement


  • minor improvement


  • minor tweak to work better with 5.0


  • changed settings page to stop random metaboxes


  • Reworked settings page


  • fix to ensure scripts not enqueued unless required


  • fix double plugin header


  • ability to link to shared host firewall ( fullworks-firewall )


  • Resolve some missing files


  • Added language localisation for translations
  • Added Spanish translation


Fixed unused javascript & css in settings page


Added language settings to allow translation.

Sanitized text being written to syslog

Closed potential REST API bypass


Security fix to stop XSS exploit

Also coded so should work with PHP 5.3 – although PHP 5.3. has been end of life for over two years it seems some hosts still use this. This is a security risk in its own right and
sites using PHP 5.3 should try to upgrade to a supported version of PHP, but this change is for backward compatibility.


Fix to allow deprecated PHP Version 5.4 to work, as 5.4 seems to still be in common use despite end of life

Note this code wont work on PHP 5.3


Fix PHP error


  • full rewrite
  • Changed detection rules to stop a reported bypass
  • Added detection and suppression of REST API calls to user data
  • Added settings page to allow REST API calls or stop system logging as required
  • Added code to remove numbers from comment authors, and setting to turn that off