An attacker can bypass the username enumeration protection by using POST requests. The protection currently only stops GET requests to enumerate users.
By sending POST requests with the body of "author=1" and incrementing the number for successive requests, the entire set of WordPress users can be enumerated.
The WordPress user information is disclosed in the HTML response body, unlike being disclosed in the redirect header, as with GET requests.
POST / HTTP/1.1 Host: www.wordpress.com Content-Type: application/x-www-form-urlencoded Content-Length: 8 author=1