This tutorial explains how to block user-ID phishing (aka, user enumeration), which is what happens when bad actors scan your WordPress-powered site for user IDs. Any discovered user ID information can be used to facilitate a brute-force login attack. Fortunately user-ID scans are trivial to block, either with .htaccess or with a few clicks with BBQ Pro.
Block User ID Phishing with .htaccess
To do it with .htaccess, follow this tutorial.
Block User ID Phishing with BBQ Pro
If you’re protecting your site with BBQ Pro, you can stop user-ID phishing with the following steps:
- Visit BBQ Firewall ▸ Custom Patterns
- Add
author=
to the Query String section - Save your changes
That’s all there is to it. And you can verify that it’s working by clicking the “Test” button next to the pattern. You can also make a few miscellaneous requests in your browser, for example something like:
https://example.com/?author=1
https://example.com/?author=123
https://example.com/?author=999
Of course, you’ll want to change the example.com
to match your own domain. You should find that all such requests are blocked by BBQ Pro, which means that all attempted user-ID scans are going to denied access to your site.