Recently I noticed various login attempts being blocked by security plug-in this is pretty much ordinary when the attempt is about non-existent users or default/common user names like the website name, or the classic admin etc..

Since the last week the login attempts (blocked after defined failed logins) were of real users, and the strange thing is that in some cases the users are not exposed in articles/pages as authors. Also consider that user iteration is suppressed, accessing ?author=1 gives no results but a 404 page.

it seems that they have found a different way to iterate users, do you know of any possible exploit that can be used and how to secure the websites?

Recently I noticed various login attempts being blocked by security plug-in this is pretty much ordinary when the attempt is about non-existent users or default/common user names like the website name, or the classic admin etc..

Since the last week the login attempts (blocked after defined failed logins) were of real users, and the strange thing is that in some cases the users are not exposed in articles/pages as authors. Also consider that user iteration is suppressed, accessing ?author=1 gives no results but a 404 page.

it seems that they have found a different way to iterate users, do you know of any possible exploit that can be used and how to secure the websites?

• users
• htaccess
• security

• What plugins are you using? I know Yoast SEO likes to enable Author Archives which are visible in the sitemap_index.xml Have you looked at your REST endpoints as well? You might be leaking data... – FaCE Commented May 3, 2019 at 10:31
• @FaCE affected websites are not using Yoast. What should I check about possible data leak? – Nym Commented May 3, 2019 at 10:37

1 Answer 1

You can use the REST API to list users:

/wp-json/wp/v2/users

Add that to the end of your website URL.

Plugins such as Wordfence can prevent anonymous users from accessing this.

You can also disable the REST API if you do not use it.