Stop Nmap NSE enumeration WordPress

 In All, Security

Stop Nmap NSE enumeration WordPress

What is Nmap Scripting Engine (NSE) ? 

“The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.”



WordPress platforms use a parameter called ‘author’. This parameter accepts integer values and represents the ‘User ID’ of users in the web site. For example:

The problems found are:

  1. User ID values are generated consecutively.
  2. When a valid User ID is found, WordPress redirects to a web page with the name of the author.

These problems trigger the following attack vectors:

  1. The query response discloses whether the User ID is enabled.
  2. The query response leaks (by redirection) the User Name corresponding with that User ID. (See update for version 3.1.3)

User IDs can be disabled, leaving holes within the consecutive numbers. Therefore, when an invalid User ID is sent, no redirection is done and no information is disclosed.


Add this code snippet to your .htaccess file if your server is running apache web server:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

If you are on nginx web server you should read this post, click here for more info.

Thank you for seeing my tutorial and fell free to share and comment 🙂 . Do you have a code snippet and you want to see it publish on my site ? I will be more than happy to do it please send me a message (here)

Recommended Posts

Start typing and press Enter to search

Let's work together

I'd love to work with you! Please fill out my project form to tell me more about your project/work. I reply to all enquiries within 48 hours.


  • January - Available
  • February - Available
  • March - Available


  • My day rate is £300.
  • I can provide a fixed price for your work.

EN - Header Enquiry Form

  • This form collects your name, email address and telephone number so that I can respond to the enquiry(ies) that you submit via this website. Please check my privacy policy for the full story on how I use, protect and manage your submitted data.