As a pentester, you surely already encountered some unsecure WordPress websites, and I bet you ran WPScan on it. You might have discovered vulnerable themes or plugins, obsolete WordPress versions and I guess you tried the user enumeration available through WPScan. However, WPScan may not be enough to perform a reliable user enumeration. Thomas and I have recently discovered a new way to enumerate WordPress users through the login page ; a method to bypass most of the security protections that can be enabled on the WordPress login page apart from the HTTP Authentication to access this page of course. This is what today’s post is about. The State of Art WPScan gathers every known methods to enumerate WordPress users which are the following ones: Author ID Brute Forcing Author Posts Author Sitemap Login Error Messages oEmbed API RSS Generator WP JSON API YoastSEO Author Sitemap You might have noticed that the #4 seems close to the one we’re announci...