methodology / Security & Infrastructure / #6

WordPress REST API user enumeration exposure

#6 · Required · Web Standards · security · Security & Infrastructure · weight 3.3% · impl implemented · method v1.2.0

Web Standards item — Security

This factor is part of Web Standards — the table-stakes binary layer of the score. It is graded pass/fail and gates the Web Quality score; it is not weighted into Web Quality itself.

Pass criteria: Strict — passes only on pass.
Web Standards label: No WordPress user enumeration
Why it's required: When WordPress, the REST API leaking usernames hands attackers half of every credential pair. Strict pass — n/a on non-WP.

Same factor, two depths.

What we measure

WordPress ships with a public API that lists every user account on your site by default — including your admin login names. Anyone can see them in seconds. That's half the information a hacker needs to attempt a break-in.

How to improve your score

Block `/wp-json/wp/v2/users` via a security plugin (Wordfence, iThemes Security) or by adding a `functions.php` filter that returns an empty array for unauthenticated requests.

Facts

Ticket

WEBQ-6

When this applies

Only relevant for WordPress sites.

Only scored when platform is one of: wordpress, woocommerce.

Scoring

Scoring formulas are versioned with the methodology. The current method (v1.2.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.

Cited by these standards

Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.

ISO/IEC 27001:2022 Security global International gold standard for an Information Security Management System. The 2022 revision restructures the Annex A controls to align with ISO 27002:2022.
OWASP Top 10 (2025) Security global Industry consensus on the ten most critical web application security risks. The 2025 edition is current; 2021 is superseded but still widely referenced.

Version history

Version	Change	Date
v1.2.0	Factor introduced. Status: live. Scoring impl: implemented.	2026-04-28

← back to methodology