Avoid user enumeration in WordPress

Last Revised: October 2, 2021

When WordPress tables are created, all auto-increment systems start at number 1. This means that the first user you create will be the user with ID 1, the next one is 2.

Systems that attack users automatically, take advantage of this numbering and usually analyze users between 1 and 10, as a starting point. So once you have done the installation of your WordPress, the next step is to change this automatic numbering.


Remember to change the prefix ‘wp_’ of the table you have chosen.

At this time, we will access the WordPress again, create a new administrator user, and delete the user generated by the installation, which will no longer be of use.

With this system, in principle, that new user (and the following ones) will have started with the figure 128, so that any attack that you want to carry out sequentially will be invalidated.

Seguir con Seguridad para WordPress

About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.