Skip to main content
WordPress Security Guide
Q&AWordPress

Does WordPress expose user information?

Yes, WordPress exposes user information through several default features. The REST API endpoint /wp-json/wp/v2/users lists all registered users with their usernames, display names, and profile URLs. Author archive pages at /?author=1 reveal usernames through URL redirects. Login error messages differentiate between invalid usernames and wrong passwords, confirming valid accounts. RSS feeds may include author information. This user enumeration helps attackers identify valid admin accounts for brute-force attacks. Disable user enumeration by restricting the REST API, removing author archives, and using generic login error messages. UNPWNED tests for user information exposure.

Check your WordPress app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

What are common WordPress vulnerabilities?How to secure a WordPress site?

More WordPress Security Questions

Is WordPress secure?What are common WordPress vulnerabilities?How to secure a WordPress site?Does WordPress add security headers?Can WordPress plugins be hacked?Is WordPress XML-RPC a security risk?