Stop user enumerations for PCI scanner compliance

Secures user enumerations for PCI scanner compliance. Must be set to run on both front-end and back-end (run everywhere setting).

add_action( 'plugins_loaded', function() {

	if( ! is_user_logged_in() && isset( $_REQUEST['author'] ) ) {

		if( preg_match( '/\\d/', $_REQUEST['author'] ) > 0 ) {

			wp_die(
				esc_html__( 'forbidden - number in author name not allowed = ', 'stop-user-enumeration' )
				. esc_html( $_REQUEST['author'] )
			);

		}

	}

} );

add_action( 'rest_authentication_errors', function( $access ) {

	if(
		preg_match( '/users/', $_SERVER['REQUEST_URI'] ) !== 0
		|| isset( $_REQUEST['rest_route'] ) && preg_match( '/users/', $_REQUEST['rest_route'] ) !== 0
	) {

		if( ! is_user_logged_in() ) {

			return new WP_Error(
				'rest_cannot_access',
				esc_html__( 'Only authenticated users can access the User endpoint REST API.', 'stop-user-enumeration' ),
				array( 'status' => rest_authorization_required_code() )
			);

		}

	}

	return $access;

} );

Instructions for Stop user enumerations for PCI scanner compliance

  1. Log into a staging or locally hosted clone of your site.
  2. Install and activate Code Snippets plugin.
  3. WP Admin > Snippets > Add New
  4. Copy and paste the code from the section above.
  5. Check to ensure formatting came over properly.
  6. Customize the code as desired.
  7. Add a meaningful title.
  8. Select whether to run on front-end or back-end (or both).
  9. Click “Save and Activate”.
  10. Test your site to ensure it works.
  11. Disable if any problems, or recover.
  12. Repeat for live environment.

Need help modifying Stop user enumerations for PCI scanner compliance?

Contact me. I can help with fitting projects or refer to my partner.

Email Sean

License

All code snippets are licensed GPLv2 (or later) matching WordPress licensing.

Except when otherwise stated in writing the copyright holders and/or other parties provide the program as-is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.

Disclaimer of warranty
Return to WooCommerce code snippets