Block User Enumeration queries

Hi all,

I’ve been getting user enumeration attempts on my WordPress site. The server’s blocked all attempts (so far!) but I was thinking of blocking any request made via the author query variable.

Trawling the web I found the following to add to my .htaccess file:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule .* - [R=403,L]

However I was wondering whether it would be more efficient to add it as a CF firewall rule - assuming that’s possible?

I’d go with a Firewall rule. That will keep the hits from getting to your server.

From memory… If the URL Path doesn’t contain wp-admin, AND URL path contains author=, then Block.


This topic was automatically closed after 30 days. New replies are no longer allowed.