This tutorial explains how to block user-ID phishing (aka, user enumeration), which is what happens when bad actors scan your WordPress-powered site for user IDs. Any discovered user ID information can be used to facilitate a brute-force login attack. Fortunately user-ID scans are trivial to block, either with .htaccess or with a few clicks with BBQ Pro.

Block User ID Phishing with .htaccess

To do it with .htaccess, follow this tutorial.

Block User ID Phishing with BBQ Pro

If you’re protecting your site with BBQ Pro, you can stop user-ID phishing with the following steps:

  1. Visit BBQ Firewall ▸ Custom Patterns
  2. Add author= to the Query String section
  3. Save your changes

That’s all there is to it. And you can verify that it’s working by clicking the “Test” button next to the pattern. You can also make a few miscellaneous requests in your browser, for example something like:

Of course, you’ll want to change the to match your own domain. You should find that all such requests are blocked by BBQ Pro, which means that all attempted user-ID scans are going to denied access to your site.