Fill in the form below to make an enquiry or find my contact details on my contact page.

  • This field is for validation purposes and should be left unchanged.

Freelance WordPress Developer

Prevent Enumeration of Usernames In Nginx

Prevent Enumeration of Usernames In Nginx – This is a really simple fix which will block the user enumeration on a WordPress site (like the method by wpscan).
Before I get into this, I am very well aware of the IfIsEvil page on Nginx wiki.  But it also says on this page, “The only safe things which may be done inside if in location context are:  return and rewrite as the last statement in a location block”  With that in mind, we are going to use ONLY rewrite as the last statement in our location block.


Prevent Enumeration of Usernames In Nginx

Add code below on your nginx vhost conf file :

if ($args ~ "^/?author=([0-9]*)"){
set $rule_0 1$rule_0;
if ($rule_0 = "1"){
rewrite ^/$ http://domain.com/404 permanent;

Remember to change the domain name on line 6 🙂

WordPress User Enumeration

A common technique to reveal the usernames of a WordPress based site can be undertaken with this simple bash one-liner.
In many WordPress installations it is possible to enumerate usernames through the author archives, including the admin username (usually ID:1). This is not a new trick and is available in a number of WordPress Security Testing tools. Online free testing tools here.



Hi, I'm a Freelance Web Developer and WordPress Expert based in London with a wealth of website development and support experience. I am great at problem solving and developing quick solutions.