Eliminating User Enumeration in WordPress with Caddy

1. The problem I’m having:

As a first time WordPress user, I’ve been confused by all the various security plugins and what they offer, so I’ve decided to see if some of the functionality could be included in the Caddyfile.

There’s the issue of user enumeration whereby attackers can find the WordPress usernames by looking at the JSON API or by running a check on blog authors. I’d like to run this code by you, to ensure it would work:

    @disallowed {
        path /xmlrpc.php
        path *.sql
        path /wp-content/uploads/*.php
        path *wp/v2/users*
        path /?author=*

The addition of the last two paths, I hope, would block all attempts to use the JSON API to discover usernames, and allow people to pull a list of blog authors.

In the link below, I think this would prevent most attempts (#1, #3 and #5 on the article), but I’m not sure it would help with the issues of case sensitivity (#4).

What do you think?

2. Error messages and/or full log output:


3. Caddy version:

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04.3.

b. Command:


c. Service/unit/compose file:


d. My complete Caddy config:


5. Links to relevant resources:


This would not work. The path matcher only considers the path part of the URI, not the query. You can use the query matcher if you like.

This will do a substring match, but again, only on the path. I don’t know if that’s sufficient to cover what you’re trying to limit, but you can test it and see.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.