Stop user enumerations for PCI scanner compliance

Secures user enumerations for PCI scanner compliance. Must be set to run on both front-end and back-end (run everywhere setting).

Category: Back-end code snippets Tags: author, block, compliance, enumeration, is_user_logged_in, PCI, rest_authentication_errors, scanner, security, user, WordPress

add_action( 'plugins_loaded', function() {
	if( ! is_user_logged_in() && isset( $_REQUEST['author'] ) ) {
		if( preg_match( '/\\d/', $_REQUEST['author'] ) > 0 ) {
			wp_die(
				esc_html__( 'forbidden - number in author name not allowed = ', 'stop-user-enumeration' )
				. esc_html( $_REQUEST['author'] )
			);
		}
	}
} );
add_action( 'rest_authentication_errors', function( $access ) {
	if(
		preg_match( '/users/', $_SERVER['REQUEST_URI'] ) !== 0
		|| isset( $_REQUEST['rest_route'] ) && preg_match( '/users/', $_REQUEST['rest_route'] ) !== 0
	) {
		if( ! is_user_logged_in() ) {
			return new WP_Error(
				'rest_cannot_access',
				esc_html__( 'Only authenticated users can access the User endpoint REST API.', 'stop-user-enumeration' ),
				array( 'status' => rest_authorization_required_code() )
			);
		}
	}
	return $access;
} );

How to use

Log into a staging, development, or locally hosted clone of your site.
Install and activate the Code Snippets plugin.
Navigate to WP Admin > Snippets > Add New.
Copy and paste the code from the Description tab above.
Check to ensure formatting came over properly and no syntax errors show up in the editor.
Customize the code as desired.
Add a meaningful title and description.
Select whether to run on front-end or back-end (or both). Some snippets require both.
Click the “Save and Activate” button.
Test your site to ensure it works as expected.
Disable if any problems, or recover as necessary.
Repeat steps two onward on your live environment.

Support

Using our Google upload form:

Describe the issue and what you’ve observed.
Describe your expected outcome(s).
List steps to reproduce the issue.
Optionally attach screen-shot images or a video.

Credits

We code all of our code snippets directly. Our clients provide most of the ideas and demand for the functionality provided by our code snippets.

There are several sources one can find on Google for code that has inspired or contributed to this open-source library. Here’s some main ones:

License & Disclaimer

All code snippets are licensed GPLv2 (or later) matching WordPress licensing.

Disclaimer of warranty:

EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.