Wordpress User Detector

Stay Up To Date
Asset Type


Need Membership


Asset Verify


API Support


Estimate Time (Second)


Wordpress User Detector Detail

You can identify users belonging to a wordpress site by using our online WordPress User Enumeration tool.

Why Is WordPress User Enumeration Important?

For the purpose of performing weak password attempts attackers can gather information about users in the wordpress.

If any attackers can find a users credentials, it means they can use your admin panel to increase attack surface. After that, harmful codes can be added the current theme, hacklinks can be inserted to posts and other things can be done that users privileges allow.

Wordpress User Enumeration Tool

We use wpscan tools to worpdress user enumeration.

You can easily identify users belonging to your WordPress with our free and online WordPress User Enumeration tool. To do this, you can start by typing your domain name in the form on top of the page and start scanning.

Or you can remotely check them by using open-source code tools such as wpscan, cmsscan. These tools will provide you with a report as if your website is attacked.

wpscan --enumerate u --url https://securityforeveryone.com

[+] URL: https://securityforeveryone.com/ []
[+] Started: Sun Jun  7 18:34:17 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: nginx
 |  - X-Powered-By: PHP/5.4.45
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: https://securityforeveryone.com/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] https://securityforeveryone.com/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: https://securityforeveryone.com/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 2.3.3 identified (Insecure, released on 2008-02-05).
 | Found By: Rss Generator (Passive Detection)
 |  - https://securityforeveryone.com/?feed=rss2, 
 |  - https://securityforeveryone.com/?feed=rss2, http://wordpress.org/?v=2.3.3

[+] WordPress theme in use: theme212
 | Location: https://securityforeveryone.com/wp-content/themes/theme212/
 | Style URL: https://securityforeveryone.com/wp-content/themes/theme212/style.css
 | Style Name: WordPress theme 212
 | Style URI: http://wordpress.org/
 | Description: A theme from Template-Help.com Collection...
 | Author: Template_Help.com
 | Author URI: http://www.Template-Help.com/
 | Found By: Css Style In Homepage (Passive Detection)
 | Version: 2.0 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - https://securityforeveryone.com/wp-content/themes/theme212/style.css, Match: 'Version: 2.0'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:58 <=> (10 / 10) 100.00% Time: 00:00:58

[i] User(s) Identified:

[+] admin
 | Found By: Wp Json Api (Aggressive Detection)
 |  - https://securityforeveryone.com/wp-json/wp/v2/users/?per_page=100&page=1

[+] user
 | Found By: Wp Json Api (Aggressive Detection)
 |  - https://securityforeveryone.com/wp-json/wp/v2/users/?per_page=100&page=1

Some Advice for Common Problems

We advise you to apply these hardening steps:

  1. Restrict admin panel access if you can. Allow access from known IP addresses only.
  2. Change default usernames.
  3. Use a strong password for any privileged accounts.
  4. WordPress REST API property must be disabled.
  5. To disable REST API property, you can add the following code to function.php file of your theme.
    // Filters for WP-API version 1.x
    add_filter( ‘json_enabled’, ‘__return_false’ );
    add_filter( ‘json_jsonp_enabled’, ‘__return_false’ );
    // Filters for WP-API version 2.x
    add_filter( ‘rest_enabled’, ‘__return_false’ );
    add_filter( ‘rest_jsonp_enabled’, ‘__return_false’ );
  6. Use these extensions to prevent brute force attacks :
    1. Loginizer
    2. Login LockDown
    3. Limit Login Attempts Reloaded
    4. WP Limit Login Attempts
    5. Brute Force Login Protection
    6. Limit Attempts
    7. Limit Login Attempts
    8. WPS Limit Login
    9. BruteGuard

Need a Full Assessment?

Get help from professional hackers. Learn about our penetration test service now!

Request Pentest Service