Block User Enumeration queries

gee1 · December 1, 2018, 11:45am

Hi all,

I’ve been getting user enumeration attempts on my WordPress site. The server’s blocked all attempts (so far!) but I was thinking of blocking any request made via the author query variable.

Trawling the web I found the following to add to my .htaccess file:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule .* - [R=403,L]

However I was wondering whether it would be more efficient to add it as a CF firewall rule - assuming that’s possible?

sdayman · December 1, 2018, 1:54pm

I’d go with a Firewall rule. That will keep the hits from getting to your server.

From memory… If the URL Path doesn’t contain wp-admin, AND URL path contains author=, then Block.

system · December 31, 2018, 11:51am

This topic was automatically closed after 30 days. New replies are no longer allowed.

Topic		Replies	Views
Firewall Rule To Block WordPress REST API User Enumeration Security	10	6260	March 21, 2021
Combining htaccess, file match, deny/allow, and IP address General dash-troubleshooting	7	7570	June 17, 2019
WordPress - Url Encoding - Firewall Rule To Block User Enum Security	6	3163	March 21, 2021
Block wp-admin but exclude password-strength-meter.min.js Security	3	2789	January 23, 2021
WAF rule to do a query string validation on WP-Admin and WP-Login Security	3	262	June 6, 2024

Block User Enumeration queries

Related topics