Prevent Enumeration of Wordpress Usernames with WPScan

On nginx installations I have that are not EE, I use the following to prevent username enumeration.

location / {
   try_files $uri $uri/ /index.php?$args;

   if ($args ~ "^/?author=([0-9]*)"){
      set $rule_0 1$rule_0; 
   if ($rule_0 = "1"){
   rewrite ^/$ permanent;

It appears impossible (well, unwise anyway) to do in EE because location / appears in various include files under nginx/common that are updated as EE is updated so the change would be overwritten. Any ideas where I might add?

Thank you!

Hi @aTeXuN

Since there’s no way to have duplicate loction blocks in a single server block , may be the only workaround that you can use is to find out the location block which your virtual server is using and edit it to add your changes.


Try location ~ / or location ^/.

For my needs, probably not the same as yours, both workarounds worked fine.