Stop user enumerations for PCI scanner compliance

Secures user enumerations for PCI scanner compliance. Must be set to run on both front-end and back-end (run everywhere setting).

add_action( 'plugins_loaded', function() {

	if( ! is_user_logged_in() && isset( $_REQUEST['author'] ) ) {

		if( preg_match( '/\\d/', $_REQUEST['author'] ) > 0 ) {

				esc_html__( 'forbidden - number in author name not allowed = ', 'stop-user-enumeration' )
				. esc_html( $_REQUEST['author'] )



} );

add_action( 'rest_authentication_errors', function( $access ) {

		preg_match( '/users/', $_SERVER['REQUEST_URI'] ) !== 0
		|| isset( $_REQUEST['rest_route'] ) && preg_match( '/users/', $_REQUEST['rest_route'] ) !== 0
	) {

		if( ! is_user_logged_in() ) {

			return new WP_Error(
				esc_html__( 'Only authenticated users can access the User endpoint REST API.', 'stop-user-enumeration' ),
				array( 'status' => rest_authorization_required_code() )



	return $access;

} );

How to use

  1. Log into a staging, development, or locally hosted clone of your site
  2. Install and activate Code Snippets
  3. WP Admin > Snippets > Add New
  4. Copy and paste the code from the Description tab above
  5. Check to ensure formatting came over properly and no syntax errors show up in the editor
  6. Customize the code as desired
  7. Add a meaningful title
  8. Select whether to run on front-end or back-end (or both)
  9. Click “Save and Activate”
  10. Test your site to ensure it works
  11. Disable if any problems, or recover
  12. Repeat for live environment


All code snippets are licensed GPLv2 (or later) matching WordPress licensing.

Disclaimer of warranty:

Except when otherwise stated in writing the copyright holders and/or other parties provide the program as-is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.


  1. Describe the issue and what you’ve observed.
  2. Describe your expected outcome(s).
  3. List steps to reproduce the issue.
  4. Optionally provide screen-shot or video URLs.
  5. Email to [email protected]


WP Engine - A smarter way to WordPress
The best email marketing tool, responsive templates, automations, Worldwide support, tracking and reports, Benchmark Email, free plan available
WP Engine - A smarter way to WordPress
Klaviyo partner badge
Okendo Partner, certified
WooCommerce, the most customizable eCommerce platform for building your online business. Click to get started.
Jetpack, a stronger, customizable site without sacrificing safety. Click to get started.