Author enumeration is one of the first steps attackers take when targeting a WordPress site. It is a simple technique that reveals the usernames on your site, giving attackers half the information they need to attempt a login.
How author enumeration works
WordPress assigns a numeric ID to every user, starting from 1. When someone visits yoursite.com/?author=1, WordPress looks up which user has ID 1 and redirects to their author archive page — for example, /author/admin/.
By cycling through ?author=1, ?author=2, ?author=3, and so on, an attacker can discover every username on your site in seconds. Automated tools do this routinely as part of mass scanning operations.
Once an attacker has a valid username, they only need to guess the password. This makes brute-force attacks faster and more targeted.
What the setting does
When you enable Block author enumeration, Web60 adds a server-level rule that returns a 403 Forbidden error for any request containing ?author= followed by a number. The request is blocked before it ever reaches WordPress.
This means:
yoursite.com/?author=1returns 403 (blocked)yoursite.com/author/john/continues to work (normal author archive)- All automated scanning tools that use the
?author=Ntechnique are stopped
How to enable it
- Open your Web60 dashboard and select your website.
- Go to Advanced Settings.
- In the Security card, find Block author enumeration.
- Toggle it on.
The block takes effect immediately at the server level.
How to disable it
Toggle the setting off in the Security card. The server rule is removed and ?author=N requests will work as normal, redirecting to author archive pages.
Impact on your site
| Area | Impact |
|---|---|
| Author archive pages | No effect — /author/username/ still works |
| WordPress admin | No effect |
| REST API | No effect — the REST API users endpoint is separate |
| SEO | No effect — search engines use author archive URLs, not ?author=N |
| Plugins | No effect — no plugin relies on ?author=N query parameters |
Additional recommendations
Blocking author enumeration is one layer of login security. For the strongest protection, combine it with:
- A strong, unique password for every admin account
- Limiting login attempts — Web60 includes brute-force protection at the server level
- Keeping WordPress updated — use the auto-update settings in Advanced Settings
Need help?
If you have questions about author enumeration or login security, visit our support page and we will be happy to help.
Frequently asked questions
What is author enumeration?
Author enumeration is a technique where someone adds ?author=1, ?author=2, and so on to your site URL. WordPress redirects these requests to the author archive page, revealing the username associated with each ID. Attackers collect these usernames to use in password-guessing attacks.
Will blocking this affect my author archive pages?
No. Author archive pages accessed by their normal URL (for example, /author/john/) continue to work as expected. Only requests using the ?author=N query parameter are blocked.
I only have one admin user — does this still matter?
Yes. Even with a single user, blocking enumeration prevents automated tools from confirming that your username exists, which makes brute-force attacks less efficient.
Last updated: 26 March 2026