wp-json user enumeration disable

I don’t know if you’ve had a chance at implementing this option, but would you consider it? We are getting bruteforce pretty hard, but since they’re actually using our user names, they’re not being blocked as quickly. Thanks!

Hi!

Yes, it will be implemented in the next release. As of now, you can disable REST API to stop user enumeration. Do you have a reason not to do that?

I have REST disabled, but it seems WP-JSON is still available and the /wp-json/wp/v2/users/ option is still available.

Cant wait for the new version! Thanks for all the hard work!

It must not be available. If you have disabled REST API, it is available for IPs in the White Access list only.

Resolved in 5.5

I updated one of our site to version 5.5, and tested on a device that’s off our network on a public IP range that is not on the whitelist. Still able to access the wp-json user list.

That’s weird.

I hope you’ve checked Stop user enumeration?
What URL do you use for tests? It should be /wp-json/wp/v2/users/

I have Stop User Enumberation checked. I tried checking disable Rest API as well but still able to get /wp-json/wp/v2/users/ on all of our sites.

I might’ve forgot to mention that I’m using it on a multisite? Not sure if that affect it any.

Seems like on our primary site, it’s working, or showing no user [].

Also tested on external non-whitelisted IPs.

Yes, multisite may be the cause. Do you use subfolder or subdomain installation?

@vinhtvu2 Hi! A related bug has been found and fixed in the development release 5.6.6. Check it out: https://wpcerber.com/development-version/