Prevent Enumeration of Usernames In Nginx

 In All, Security

Prevent Enumeration of Usernames In Nginx – This is a really simple fix which will block the user enumeration on a wordpress site (like the method by wpscan).

Before I get into this, I am very well aware of the IfIsEvil page on nginx wiki.  But it also says on this page, “The only 100% safe things which may be done inside if in location context are:  return and rewrite as the last statement in a location block”  With that in mind, we are going to use ONLY rewrite as the last statement in our location block.


Prevent Enumeration of Usernames In Nginx

Add code below on your nginx vhost conf file :

if ($args ~ "^/?author=([0-9]*)"){
set $rule_0 1$rule_0;

if ($rule_0 = "1"){
rewrite ^/$ permanent;

Remember to change the domain name on line 6 🙂

WordPress User Enumeration

In many WordPress installations it is possible to enumerate usernames through the author archives, including the admin username (usually ID:1). This is not a new trick and is available in a number of WordPress Security Testing tools.

Online free testing tools here.

NOTE: If you are on apache web server you should read this post, please click here for more info

Interested in list wordPress user information ? Please visit Nuno Sarmento @ for the code snippet.

Recommended Posts

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start typing and press Enter to search

Let's work together

I'd love to work with you! Please fill out my project form to tell me more about your project/work. I reply to all enquiries within 48 hours.


  • November - Booked
  • December - Booked
  • January - Available


  • My day rate is £300.
  • I can provide a fixed price for your work.

EN - Header Enquiry Form

  • This form collects your name, email address and telephone number so that I can respond to the enquiry(ies) that you submit via this website. Please check my privacy policy for the full story on how I use, protect and manage your submitted data.