<b>Username Enumeration Block SOP</b>
Run on every WordPress site — usernames are half the credential.
— Step 1: Block author archive scanning. Redirect or 403 <code>/?author=1</code> through <code>/?author=N</code>.
— Step 2: Lock the REST users endpoint for unauthenticated requests (see the REST API SOP).
— Step 3: Disable author-slug leakage. Set the <code>nicename</code> different from the <code>login</code> so pretty permalinks don't expose it.
— Step 4: Generic login errors. "Invalid credentials," never "unknown username."
— Step 5: Block enumeration in <code>sitemap-users.xml</code> if your SEO plugin generates one.
— Step 6: Verify with an enumeration tool that no endpoint returns a real login name.
Run this every time.
Lockdown Ledger
@LockdownLedger
<b>Username Enumeration Block SOP</b>
Этот пост опубликован в Telegram-канале Lockdown Ledger. Подписаться можно по ссылке: @LockdownLedger.