Prevent anonymous users from listing usernames via the ClassicPress REST API.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Add plugin-tests scaffold Feb 3, 2019
tests Fix the Travis build Feb 4, 2019
.phpcs.xml.dist Add plugin-tests scaffold Feb 3, 2019
.travis.yml Update Feb 4, 2019
index.php Refactor code for testability Feb 4, 2019
phpunit.xml.dist Make the tests run Feb 3, 2019

Username Protection

ClassicPress provides many helpful REST API endpoints that expose data about your site. For the most part, this is a handy feature. In the case of usernames, however, allowing this endpoint to be accessed anonymously can make your site more susceptible to brut force attacks. This plugin prevents anonymous access to the endpoint.

Before Installing

Do you even need this plugin? To find out, log out of your site, then open the following URLs in separate browser tabs. Be sure to replace with the URL to your ClassicPress installation.

Inspect the output of each URL. Do you find any usernames or display names? If not, you're all set – you don't need this plugin! If you do find usernames or display names, follow the instructions below to install the plugin.


  • Download the package to your local computer.
  • Navigate to Dashboard > Plugins > Add New > Upload Plugin and upload the package to your site.
  • Click to install, then activate the plugin.


There are no configuration settings – the plugin is designed to just work. If you would like to personally verify that it is working as expected, you can log out of the site and revisit the URLs above. When you are logged out, the usernames and display names are removed; when you are logged in, they are accessible, as expected.

NOTE: While this plugin does work with WordPress, it may cause certain aspects of JetPack to fail. See this thread for a workaround.

Build Status