Title: User Enumeration issue
Last modified: April 16, 2020

---

# User Enumeration issue

 *  Resolved [eddyferns](https://wordpress.org/support/users/eddyferns/)
 * (@eddyferns)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/)
 * Despite enabling all options under “Protect against username enumeration”, the
   usernames are obtained by the following methods:
 * 1. RSS Generator
 * 2. Embeds — When “WordPress REST API” block is not enabled.
 * Regards,
    Ed

Viewing 10 replies - 1 through 10 (of 10 total)

 *  [barnez](https://wordpress.org/support/users/pidengmor/)
 * (@pidengmor)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12686026)
 * Just to chime in here, AFAIK if a nickname for the user is set, which is different
   from the username, then that is the only thing revealed in the RSS feed.
 *  Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/)
 * (@eddyferns)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12688095)
 * That is true but there are some who set username as nickname inadvertently or
   unknowingly, which also is usually the case for novices. So it would a given 
   for them that the plugin has it all covered.
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12689235)
 * It’s almost impossible to hide all usernames. There are also several plugins 
   or themes than can leak them in the page. That’s the reason why we mention [in the documentation](https://blog.nintechnet.com/securing-wordpress-with-a-web-application-firewall-ninjafirewall/)
   that it is better to use a strong password along with the brute-force protection,
   rather than to rely on the user enumeration protection.
 *  Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/)
 * (@eddyferns)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12693103)
 * Point taken per the circumstances. Will check further how far user enumeration
   can be hardened.
 * Username leak via RSS can be plugged through code.
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12693388)
 * I’ll check the RSS feed. I guess all I’d need to do is to hook it and remove 
   the `<dc:creator>` tag.
 *  Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/)
 * (@eddyferns)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12696535)
 * When successful you could then have it as a feature for your plugin either inclusively
   or as an option.
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12706798)
 * It will have to be optional as some users may want to keep the user name in the
   feed. In the meantime, if you want to block it now you can add this code anywhere
   inside the ‘ninjafirewall/lib/utils.php’:
 *     ```
       function nfw_check_author( $display_name ) {
           if ( is_feed() ) {
               return '';
           }
           return $display_name;
       }
       add_filter( 'the_author', 'nfw_check_author', 99999, 1 );
       ```
   
 *  Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/)
 * (@eddyferns)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12719008)
 * Thanks for the code. Username no longer displays!
 * Alternatively, the same can be achieved by disabling feeds if not needed.
 * FYI, there is a pesty slug /?feed, which is not a feed, directing WordPress websites
   to a Post where the username is showing in the page source code. Unfortunately
   the .htaccess redirect doesn’t work. Perhaps php again is the way out.
 *  Plugin Author [nintechnet](https://wordpress.org/support/users/nintechnet/)
 * (@nintechnet)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12729013)
 * You need to block an existing but empty `$_GET['feed']` with the .htninja file:
 *     ```
       if ( isset( $_GET['feed'] ) && $_GET['feed'] == '' ) {
          return 'BLOCK'; // reject it
       }
       ```
   
 *  Thread Starter [eddyferns](https://wordpress.org/support/users/eddyferns/)
 * (@eddyferns)
 * [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12738432)
 * Awesome! Gets the job done.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘User Enumeration issue’ is closed to new replies.

 * ![](https://ps.w.org/ninjafirewall/assets/icon-256x256.png?rev=976137)
 * [NinjaFirewall (WP Edition) - Advanced Security Plugin and Firewall](https://wordpress.org/plugins/ninjafirewall/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/ninjafirewall/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/ninjafirewall/)
 * [Active Topics](https://wordpress.org/support/plugin/ninjafirewall/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/ninjafirewall/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/ninjafirewall/reviews/)

 * 10 replies
 * 3 participants
 * Last reply from: [eddyferns](https://wordpress.org/support/users/eddyferns/)
 * Last activity: [6 years, 1 month ago](https://wordpress.org/support/topic/user-enumeration-issue/#post-12738432)
 * Status: resolved