[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYuiLUC654kybZUGO2JQDg8-UGHO-8uecEa_CRJwjjao":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":22,"download_link":23,"security_score":24,"vuln_count":13,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26,"vulnerabilities":27,"developer":28,"crawl_stats":25,"alternatives":33,"analysis":128,"fingerprints":158},"disabling-user-enumeration","Disable User Enumeration","1.0.0","incredibledeveloperr","https:\u002F\u002Fprofiles.wordpress.org\u002Fincredibledeveloperr\u002F","\u003Cp>User enumeration can be use for brute-force techniques to either guess or confirm valid users in a system. User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication.\u003C\u002Fp>\n\u003Cp>An enumeration attack allows a hacker to check whether a name exists in the database. For example, to set up a brute-force attack, rather than searching through login and password pairs, all they need is a matching password for a verified user name, saving time and effort.\u003C\u002Fp>\n\u003Cp>The phrase “username harvesting” refers to a vulnerability that when exploited allows people or programs interacting with an application to determine what a valid username is vs an invalid username.\u003C\u002Fp>\n\u003Cp>**You can check your site have user enumeration by simply type https:\u002F\u002Fselectedfirms.co\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers that’s it. **\u003C\u002Fp>\n\u003Cp>Features:\u003C\u002Fp>\n\u003Col>\n\u003Cli>We only disable for non logged in users.\u003C\u002Fli>\n\u003Cli>You can deactivate with single click. No extra configuration required.\u003C\u002Fli>\n\u003Cli>Something else about the plugin\u003C\u002Fli>\n\u003C\u002Fol>\n","Disable User Enumeration is a plugin designed to prevent hackers scanning your site for user names using REST API call.",30,1159,0,"2020-12-16T07:49:00.000Z","5.5.18","4.7","7.2",[19,20,21],"disable-user-enumeration","rest-api-user-enumeration","user-enumeration","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdisabling-user-enumeration.zip",85,null,"2026-03-15T15:16:48.613Z",[],{"slug":7,"display_name":7,"profile_url":8,"plugin_count":29,"total_installs":30,"avg_security_score":24,"avg_patch_time_days":11,"trust_score":31,"computed_at":32},2,40,84,"2026-04-04T02:41:42.443Z",[34,59,77,92,109],{"slug":35,"name":36,"version":37,"author":38,"author_profile":39,"description":40,"short_description":41,"active_installs":42,"downloaded":43,"rating":44,"num_ratings":45,"last_updated":46,"tested_up_to":47,"requires_at_least":48,"requires_php":49,"tags":50,"homepage":54,"download_link":55,"security_score":56,"vuln_count":57,"unpatched_count":13,"last_vuln_date":58,"fetched_at":26},"stop-user-enumeration","Stop User Enumeration","1.7.7","fullworks","https:\u002F\u002Fprofiles.wordpress.org\u002Ffullworks\u002F","\u003Cp>Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user login names.\u003C\u002Fp>\n\u003Cp>User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this initial attack and allows you to log IPs launching these attacks to block further attacks in the future.\u003C\u002Fp>\n\u003Cp>Tools like WPSCAN are designed for use by ethical hackers and make efforts to find user login names. Ethical hackers ask permission first, this plugin is designed to reduce the tools when used without permission and when used in conjunction with fail2ban can block those attempts at the firewall.\u003C\u002Fp>\n\u003Cp>If you are on a VPS or dedicated server, as the attack IP is logged, you can use (optional additional configuration) fail2ban to block the attack directly at your server’s firewall, a very powerful solution for VPS owners to stop brute force attacks as well as DDoS attacks.\u003C\u002Fp>\n\u003Cp>If you don’t have access to install fail2ban ( e.g. on a Shared Host ) you can still use this plugin.\u003C\u002Fp>\n\u003Cp>The plugin can stop the user id being leaked by the oEmbed API call.\u003C\u002Fp>\n\u003Cp>Since WordPress 4.5 user data can also be obtained by API calls without logging in, this is a WordPress feature, but if you don’t need it to get user data, this\u003Cbr \u002F>\nplugin will restrict and log that too.\u003C\u002Fp>\n\u003Cp>Since WordPress 5.5  sitemaps are generated by core WP  ( wp-sitemap.xml ) which includes a user\u002Fauthor sitemap that exposes the user id.  You can enable \u002F disable this in the plugin settings.\u003C\u002Fp>\n\u003Ch4>PHP 8.4 compatible\u003C\u002Fh4>\n\u003Cp>Tested on PHP 8.4\u003C\u002Fp>\n\u003Ch4>Features Include\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>Blocks user enumeration requests by GET or POST\u003C\u002Fli>\n\u003Cli>Syslogs a block so Fail2Ban can be used to block an IP\u003C\u002Fli>\n\u003Cli>Optionally blocks REST API user requests for non authorized users\u003C\u002Fli>\n\u003Cli>Optionally removes author sitemap\u003C\u002Fli>\n\u003Cli>Optionally removes author from OEMBED\u003C\u002Fli>\n\u003Cli>Optionally removes numbers from comment authors\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch3>Privacy\u003C\u002Fh3>\n\u003Cp>This plugin includes an optional email feature for plugin news and updates. When enabled:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Your email address may be sent to https:\u002F\u002Ffullworksplugins.com for important plugin updates and security notices\u003C\u002Fli>\n\u003Cli>This is completely optional and requires your explicit consent via the opt-in form in the plugin settings\u003C\u002Fli>\n\u003Cli>No data is collected or transmitted without your permission\u003C\u002Fli>\n\u003Cli>You can opt-out at any time from the plugin settings\u003C\u002Fli>\n\u003Cli>No other personal data is collected or transmitted to external services\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>The plugin logs attempted user enumeration attacks locally using WordPress’s standard logging system:\u003Cbr \u002F>\n* IP addresses of potential attackers are logged locally for security monitoring\u003Cbr \u002F>\n* These logs remain on your server and are not transmitted to any external service\u003Cbr \u002F>\n* Logs can be used with fail2ban or similar tools for enhanced security\u003C\u002Fp>\n\u003Cp>For more information about data handling, please visit https:\u002F\u002Ffullworksplugins.com\u002Fprivacy-policy\u002F\u003C\u002Fp>\n","Helps secure your site against hacking attacks through detecting  User Enumeration",50000,1305856,98,128,"2025-12-15T10:48:00.000Z","6.9.4","6.3","7.4",[51,52,21,53],"fail2ban","security","wpscan","https:\u002F\u002Ffullworksplugins.com\u002Fproducts\u002Fstop-user-enumeration\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fstop-user-enumeration.1.7.7.zip",91,6,"2025-06-26 00:00:00",{"slug":60,"name":61,"version":62,"author":63,"author_profile":64,"description":65,"short_description":66,"active_installs":67,"downloaded":68,"rating":69,"num_ratings":29,"last_updated":70,"tested_up_to":71,"requires_at_least":16,"requires_php":49,"tags":72,"homepage":75,"download_link":76,"security_score":24,"vuln_count":13,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26},"wp-author-security","WP Author Security","1.5.0","mgm security partners GmbH","https:\u002F\u002Fprofiles.wordpress.org\u002Fmgmsp\u002F","\u003Cp>WP Author Security is a lightweight but powerful plugin to protect against user enumeration attacks on author pages and other places where valid user names can be obtained.\u003C\u002Fp>\n\u003Cp>By default, WordPress will display some sensitive information on author pages.\u003Cbr \u002F>\nThe author page is typically called by requesting the URI \u003Ccode>https:\u002F\u002Fyourdomain.tld\u002F?author=\u003Cid>\u003C\u002Fcode> or with permalinks \u003Ccode>https:\u002F\u002Fyourdomain.tld\u002Fauthor\u002F\u003Cusername>\u003C\u002Fcode>.\u003Cbr \u002F>\nThe page will include (depending on your theme) the full name (first and last name) as well as the username of the author which is used to log in to WordPress.\u003C\u002Fp>\n\u003Cp>In some cases, it is not wanted to expose this information to the public. An attacker is able to brute force valid IDs or valid usernames. This information might be used for further attacks like social engineering attacks or log in brute force attacks with gathered usernames.\u003Cbr \u002F>\n\u003Cem>However, when using the plugin and you disable author pages completely it must be noted that you need to take care that your active theme will not display the author name itself on posts like “Posted by admin” or something like that. This is something the plugin will not handle (at the moment).\u003C\u002Fem>\u003C\u002Fp>\n\u003Cp>By using the extension, you are able to disable the author pages either completely or display them only when the author has at least one published post. When the page is disabled the default 404 error page of the active theme is displayed.\u003C\u002Fp>\n\u003Cp>In addition, the plugin will also protect other locations which are commonly used by attackers to gather valid user names. These are:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>The REST API for users which will list all users with published posts by default.\u003Cbr \u002F>\n  https:\u002F\u002Fyourdomain.tld\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u003C\u002Fli>\n\u003Cli>The log in page where different error messages will indicate whether an entered user name or mail address exists or not. The plugin will display a neutral error message independently whether the user exists or not.\u003C\u002Fli>\n\u003Cli>The password forgotten function will also allow an attacker to check for the existence of a user. As for the log in page the plugin will display a neutral message even when the user does not exists.\u003C\u002Fli>\n\u003Cli>Requesting the feed endpoint \u002Ffeed of your blog will also allow others to see the username or display name of the author. The plugin will remove the name from the result list.\u003C\u002Fli>\n\u003Cli>WordPress supports so-called oEmbeds. This is a technique to embed a reference to a post into another post. However, this reference will also contain the author name and a direct link to the profile page. The plugin will also remove the name and link here.\u003C\u002Fli>\n\u003Cli>Since WordPress 5.5 a default sitemap can be reached via \u002Fwp-sitemap.xml. This sitemap will disclose the usernames of all authors. If this should not be disclosed you are able to disable this feature of WordPress.\u003C\u002Fli>\n\u003C\u002Ful>\n","Protect against user enumeration attacks on author pages and other places where valid user names can be obtained.",500,6531,100,"2023-04-12T07:32:00.000Z","6.2.9",[73,74,52,21,53],"author","privacy","https:\u002F\u002Fgithub.com\u002Fmgm-sp\u002Fwp-author-security","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-author-security.1.5.0.zip",{"slug":78,"name":79,"version":80,"author":81,"author_profile":82,"description":83,"short_description":84,"active_installs":85,"downloaded":86,"rating":13,"num_ratings":13,"last_updated":87,"tested_up_to":88,"requires_at_least":89,"requires_php":22,"tags":90,"homepage":22,"download_link":91,"security_score":24,"vuln_count":13,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26},"no-user-enumeration","No User Enumeration","1.3.2","Carlos","https:\u002F\u002Fprofiles.wordpress.org\u002Fcarlost800\u002F","\u003Cp>In many WordPress installations is possible enumerate usernames through the author archives, using urls like this:\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?author=1\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?author=1\u002F\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?bypass=1&author%00=1\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?author%00=%001\u003C\u002Fp>\n\u003Cp>http:\u002F\u002Fwpsite\u002F?%61uthor=1\u003C\u002Fp>\n\u003Cp>And recently wordpress since 4.7 comes with a rest api integrated that allow list users:\u003C\u002Fp>\n\u003Cp>curl -s http:\u002F\u002Fwpsite\u002Fwp-json\u002Fwp\u002Fv2\u002Fusers\u002F\u003Cbr \u002F>\ncurl -s http:\u002F\u002Fwpsite\u002F?rest_route=\u002Fwp\u002Fv2\u002Fusers\u003Cbr \u002F>\ncurl http:\u002F\u002Fwpsite\u002F?_method=GET -d rest_route=\u002Fwp\u002Fv2\u002Fusers\u003C\u002Fp>\n\u003Cp>Know the username of a administrator is the half battle, now an attacker only need guest the password.\u003Cbr \u002F>\nThis plugin stop it.\u003C\u002Fp>\n\u003Cp>Also, is possible get usernames from the post entries.\u003Cbr \u002F>\nThis plugin, hide the name of the author in a post entry if he is not using a nickname.\u003Cbr \u002F>\nAlso, hide the url page link of an administrator author.\u003C\u002Fp>\n\u003Cp>The main goal is hide the administrators usernames.\u003Cbr \u002F>\nObviously, is better not choose “admin” as the username because is easiliy guessable.\u003C\u002Fp>\n","Stop user enumeration for security.",200,4695,"2019-10-23T03:11:00.000Z","5.2.24","2.9",[52,21,53],"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fno-user-enumeration.1.3.2.zip",{"slug":93,"name":94,"version":6,"author":95,"author_profile":96,"description":97,"short_description":98,"active_installs":99,"downloaded":100,"rating":13,"num_ratings":13,"last_updated":101,"tested_up_to":102,"requires_at_least":103,"requires_php":22,"tags":104,"homepage":22,"download_link":108,"security_score":24,"vuln_count":13,"unpatched_count":13,"last_vuln_date":25,"fetched_at":26},"double-knot-security","Double Knot","mattturow","https:\u002F\u002Fprofiles.wordpress.org\u002Fmattturow\u002F","\u003Cp>This plugin checks for common user names that don’t exist in the users table.  If the submitted user name meets settings criteria the IP will be blocked from the site.\u003C\u002Fp>\n\u003Cp>The plugin also has the ability to stop author enumeration by bots.\u003C\u002Fp>\n\u003Ch4>Recommended Settings\u003C\u002Fh4>\n\u003Cp>There are two different ways to protect your site from user name brute force attacks.  The more strict way is to immediately block an IP that attempts to login with a non-existent user name.  This can possibly cause issues with websites that have many users or users that may not login very often and forget their user name.  It’s most useful for one-person websites.\u003C\u002Fp>\n\u003Cp>The less strict way is to have a black list of user names that only a bot would try like “admin” and user nicenames that aren’t logins.\u003C\u002Fp>\n\u003Cp>The “Stop Enumeration” setting redirects all attempts to ?author={ID} to the home page of your site.  This will stop bots from incrementing through your users and discovering user nicenames.\u003C\u002Fp>\n","Stop brute force login attempts by user name.",10,1248,"2017-06-15T12:18:00.000Z","4.8.28","3.0",[105,106,107,52,21],"iptables","log","protect","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdouble-knot-security.zip",{"slug":110,"name":111,"version":112,"author":113,"author_profile":114,"description":115,"short_description":116,"active_installs":13,"downloaded":117,"rating":69,"num_ratings":118,"last_updated":22,"tested_up_to":47,"requires_at_least":119,"requires_php":120,"tags":121,"homepage":125,"download_link":126,"security_score":69,"vuln_count":13,"unpatched_count":13,"last_vuln_date":25,"fetched_at":127},"khushal-login-path-guard","Khushal Login Path Guard","2.4.1","Khushal Tank","https:\u002F\u002Fprofiles.wordpress.org\u002Fkhushal1995\u002F","\u003Cp>Khushal Login Path Guard is a WordPress security plugin that allows you to change your default login URL and protect your site from common attack vectors. The plugin blocks brute-force attempts, prevents user enumeration, secures sensitive files, and hides WordPress information from potential attackers. All blocked paths display 404 errors (Stealth Mode) instead of redirects, making your site invisible to attackers.\u003C\u002Fp>\n\u003Ch4>Features\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Login Protection:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Blocks 17+ common brute-force login paths\u003Cbr \u002F>\n* Custom login URL (only you know the path)\u003Cbr \u002F>\n* Shows 404 error instead of redirect (no hints to attackers)\u003Cbr \u002F>\n* Protects \u002Fwp-admin, \u002Flogin, \u002Fwp-login.php and more\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Advanced Security:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Blocks XML-RPC (prevents brute-force via API)\u003Cbr \u002F>\n* Prevents user enumeration via REST API\u003Cbr \u002F>\n* Blocks author page enumeration (?author=1)\u003Cbr \u002F>\n* Protects wp-config.php and sensitive files\u003Cbr \u002F>\n* Blocks direct access to wp-includes PHP files\u003Cbr \u002F>\n* Removes WordPress version information\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Security Headers:\u003C\u002Fstrong>\u003Cbr \u002F>\n* X-Frame-Options (prevents clickjacking)\u003Cbr \u002F>\n* X-Content-Type-Options (prevents MIME sniffing)\u003Cbr \u002F>\n* X-XSS-Protection (XSS attack protection)\u003Cbr \u002F>\n* Referrer-Policy (privacy protection)\u003Cbr \u002F>\n* Permissions-Policy (feature restriction)\u003C\u002Fp>\n\u003Cp>\u003Cstrong>User-Friendly:\u003C\u002Fstrong>\u003Cbr \u002F>\n* Easy settings interface\u003Cbr \u002F>\n* One-click URL copy\u003Cbr \u002F>\n* Normal functionality for logged-in users\u003Cbr \u002F>\n* Does not block AJAX requests\u003Cbr \u002F>\n* Clean admin interface\u003C\u002Fp>\n\u003Ch4>Security Benefits\u003C\u002Fh4>\n\u003Col>\n\u003Cli>\u003Cstrong>Brute Force Protection\u003C\u002Fstrong> – 15+ login paths blocked\u003C\u002Fli>\n\u003Cli>\u003Cstrong>XML-RPC Disabled\u003C\u002Fstrong> – Prevents API-based attacks\u003C\u002Fli>\n\u003Cli>\u003Cstrong>User Enumeration Blocked\u003C\u002Fstrong> – Hides usernames from attackers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Sensitive Files Protected\u003C\u002Fstrong> – wp-config.php, .htaccess secured\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Security Headers\u003C\u002Fstrong> – Industry-standard HTTP headers\u003C\u002Fli>\n\u003Cli>\u003Cstrong>WordPress Hidden\u003C\u002Fstrong> – Removes version and generator tags\u003C\u002Fli>\n\u003C\u002Fol>\n\u003Ch4>इस्तेमाल करना बेहद आसान है\u003C\u002Fh4>\n\u003Col>\n\u003Cli>Plugin activate करें\u003C\u002Fli>\n\u003Cli>Settings > Login Path Security में जाएं\u003C\u002Fli>\n\u003Cli>अपना custom login path enter करें\u003C\u002Fli>\n\u003Cli>Settings save करें\u003C\u002Fli>\n\u003Cli>नया login URL use करें\u003C\u002Fli>\n\u003C\u002Fol>\n","Change your WordPress login URL and protect your site from brute-force attacks. Blocks default login paths with 404 errors.",133,1,"5.0","7.0",[122,123,52,21,124],"brute-force","login","xmlrpc","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fkhushal-login-path-guard\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkhushal-login-path-guard.2.4.1.zip","2026-03-15T10:48:56.248Z",{"attackSurface":129,"codeSignals":146,"taintFlows":153,"riskAssessment":154,"analyzedAt":157},{"hooks":130,"ajaxHandlers":142,"restRoutes":143,"shortcodes":144,"cronEvents":145,"entryPointCount":13,"unprotectedCount":13},[131,137],{"type":132,"name":133,"callback":134,"file":135,"line":136},"action","init","dsapi_render_disable_api","disable-user-enumeration.php",49,{"type":138,"name":139,"callback":140,"file":135,"line":141},"filter","rest_endpoints","dsapi_api_users_endpoint_force_auth",53,[],[],[],[],{"dangerousFunctions":147,"sqlUsage":148,"outputEscaping":150,"fileOperations":13,"externalRequests":13,"nonceChecks":13,"capabilityChecks":118,"bundledLibraries":152},[],{"prepared":13,"raw":13,"locations":149},[],{"escaped":13,"rawEcho":13,"locations":151},[],[],[],{"summary":155,"deductions":156},"The 'disabling-user-enumeration' plugin v1.0.0 presents a strong security posture based on the provided static analysis and vulnerability history.  The plugin demonstrates excellent security practices, with no identified dangerous functions, all SQL queries using prepared statements, and all outputs being properly escaped.  Furthermore, the absence of file operations, external HTTP requests, and any taint flows with unsanitized paths are significant positive indicators.  The plugin also correctly implements a capability check, which is a fundamental security control.\n\nThe attack surface is notably zero, with no AJAX handlers, REST API routes, shortcodes, or cron events registered. This significantly reduces the potential entry points for attackers. The vulnerability history is equally impressive, with zero known CVEs, indicating a mature and secure codebase with no history of security flaws.  This suggests the developers are prioritizing security and maintaining a clean code base.\n\nOverall, this plugin appears to be very secure. Its strengths lie in its minimal attack surface, adherence to secure coding practices like prepared statements and output escaping, and a complete lack of past vulnerabilities. The only potential area for slight improvement, though not a direct concern based on the current data, would be the explicit implementation of nonce checks if any AJAX or similar entry points were ever introduced, although with zero entry points currently, this is a non-issue. The plugin's current implementation is robust and does not indicate any immediate security risks.",[],"2026-03-16T22:24:49.640Z",{"wat":159,"direct":164},{"assetPaths":160,"generatorPatterns":161,"scriptPaths":162,"versionParams":163},[],[],[],[],{"cssClasses":165,"htmlComments":166,"htmlAttributes":167,"restEndpoints":168,"jsGlobals":171,"shortcodeOutput":172},[],[],[],[169,170],"\u002Fwp\u002Fv2\u002Fusers","\u002Fwp\u002Fv2\u002Fusers\u002F(?P\u003Cid>[\\d]+)",[],[]]