Stop User Enumeration


Stop User Enumeration is a plugin that helps you prevent your WordPress usernames from being enumerated.

User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this attack and even allows you to log IPs launching these attacks to block further attacks in the future.

As the attack IP is logged you can use (optionally) fail2ban to block the attack directly at your firewall, a very powerful solution for VPS owners to stop brute force attacks as well as DDoS attacks.

Since WordPress 4.5 user data can also be obtained by API calls without logging in, this is a WordPress feature, but if you don’t need it to get user data, this
plugin will restrict and log that too.

Donate or go Pro

Keeping your website safe against hackers takes constant innovation, this is an ongoing battle. If you want to keep a free version of this plugin up to up to up to date please donate a small amount now using this link .

Or go pro with Fullworks WP Security register here


  1. Upload plugin-name.php to the /wp-content/plugins/ directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. If needed to change defaults settings, visit the settings page


Installation Instructions
  1. Upload plugin-name.php to the /wp-content/plugins/ directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. If needed to change defaults settings, visit the settings page
Are there any settings?

Yes, but the default ones are fine for most cases

Will it work on Multisite?


Why don’t I just block with .htaccess

A .htaccess solution may suffice, but most published do not cover POST blocking, REST API blocking and still allow admin users access.

Does it break anything?

If a comment is left by someone just giving a number that comment would be forbidden, as it is assume a hack attempt, but the plugin has a bit of code that strips out numbers from comment author names

Do I need fail2ban for this to work?

No, but fail2ban will allow you to block IP addresses at your VPS firewall that attempt user enumeration.

What do I do with the fail2ban file?

You only need this if you are using Fail2Ban.
Place the file wordpress-userenum.conf in your fail2ban installation’s filter.d directory.
edit your jail.local to include lines like
enabled = true
filter = wordpress-userenumaction = iptables-allports[name=WORDPRESS-USERENUM]
sendmail-whois-lines[name=WORDPRESS-USERENUM, dest=youremail@yourdomain, logpath=/var/log/messages]
logpath = /var/log/messages
maxretry = 1
findtime = 600
bantime = 2500000
Adjusted to your own requirements.


Read all 14 reviews

Contributors & Developers

“Stop User Enumeration” is open source software. The following people have contributed to this plugin.




Added language settings to allow translation.

Sanitized text being written to syslog

Closed potential REST API bypass


Security fix to stop XSS exploit

Also coded so should work with PHP 5.3 – although PHP 5.3. has been end of life for over two years it seems some hosts still use this. This is a security risk in its own right and
sites using PHP 5.3 should try to upgrade to a supported version of PHP, but this change is for backward compatibility.


Fix to allow deprecated PHP Version 5.4 to work, as 5.4 seems to still be in common use despite end of life

Note this code wont work on PHP 5.3


Fix PHP error


  • full rewrite
  • Changed detection rules to stop a reported bypass
  • Added detection and suppression of REST API calls to user data
  • Added settings page to allow REST API calls or stop system logging as required
  • Added code to remove numbers from comment authors, and setting to turn that off


  • Simplify code and deal with undefined request and other argument issues


  • Correct issue of undefined index in certain conditions


  • Added donate link to plugin listing


  • code improvement from Thomas van der Westen


  • bug fix to allow comments to use author in url


  • allow comments to use author in url


  • bug fix to POST protection


  • bug fix to POST protection


  • Added protection against bypass using null bytes (thanks to vunerbality identification and solution by cvcrcky )
  • Added protection angainst POST bypass (thanks to vunerbaility identification by urbanadventurer and solution ideas from Ov3rfly and Malivuk )


  • Added code to check whether not admin (to stop admin features failing) and changed trailing slash code to trap situation where not posts are found and user is displayed in title


  • Fixed bug that stopped export in admin


  • Added code to stop bypassing the check when a trailing slash is added


  • minor change to handle a specific php issue with a certain version


  • added close log
  • corrected call to wp die


  • first release