Prevent Enumeration of Usernames In Nginx – This is a really simple fix which will block the user enumeration on a wordpress site (like the method by wpscan).
Before I get into this, I am very well aware of the IfIsEvil page on nginx wiki.  But it also says on this page, “The only safe things which may be done inside if in location context are:  return and rewrite as the last statement in a location block”  With that in mind, we are going to use ONLY rewrite as the last statement in our location block.

 

Prevent Enumeration of Usernames In Nginx

Add code below on your nginx vhost conf file :

if ($args ~ "^/?author=([0-9]*)"){
set $rule_0 1$rule_0;
}

if ($rule_0 = "1"){
rewrite ^/$ http://domain.com/404 permanent;
}

Remember to change the domain name on line 6 🙂

WordPress User Enumeration

A common technique to reveal the usernames of a WordPress based site can be undertaken with this simple bash one liner.
In many WordPress installations it is possible to enumerate usernames through the author archives, including the admin username (usually ID:1). This is not a new trick and is available in a number of WordPress Security Testing tools. Online free testing tools here.

NOTE: If you are on apache web server you should read this post, please click here for more info