You can't find me

.gitattributes

@@ -0,0 +1,12 @@
+# Path-based git attributes
+# https://www.kernel.org/pub/software/scm/git/docs/gitattributes.html
+
+# Ignore everything.
+/* export-ignore
+
+# Export white-listed production code only.
+/src            -export-ignore
+/*.php          -export-ignore
+/composer.json  -export-ignore
+/LICENSE        -export-ignore
+/README.md      -export-ignore

.github_changelog_generator

@@ -0,0 +1,4 @@
+unreleased=true
+future-release=0.2.0
+user=itinerisltd
+project=itineris-prevent-wp-user-enumeration

.gitignore

@@ -0,0 +1,10 @@
+### Codeception ###
+/tests/_output/*
+/tests/_support/_generated/
+
+### Composer ###
+/composer.lock
+/vendor/
+
+### PhpStorm ###
+/.idea/

CHANGELOG.md

@@ -0,0 +1,5 @@
+# Changelog
+
+
+
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

README.md

@@ -0,0 +1,96 @@
+# Itineris Prevent User Enumeration
+
+[![Packagist Version](https://img.shields.io/packagist/v/itinerisltd/itineris-prevent-wp-user-enumeration.svg)](https://packagist.org/packages/itinerisltd/itineris-prevent-wp-user-enumeration)
+[![PHP from Packagist](https://img.shields.io/packagist/php-v/itinerisltd/itineris-prevent-wp-user-enumeration.svg)](https://packagist.org/packages/itinerisltd/itineris-prevent-wp-user-enumeration)
+[![Packagist Downloads](https://img.shields.io/packagist/dt/itinerisltd/itineris-prevent-wp-user-enumeration.svg)](https://packagist.org/packages/itinerisltd/itineris-prevent-wp-user-enumeration)
+[![GitHub License](https://img.shields.io/github/license/itinerisltd/itineris-prevent-wp-user-enumeration.svg)](https://github.com/ItinerisLtd/itineris-prevent-wp-user-enumeration/blob/master/LICENSE)
+[![Hire Itineris](https://img.shields.io/badge/Hire-Itineris-ff69b4.svg)](https://www.itineris.co.uk/contact/)
+
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
+- [Goal](#goal)
+- [Requirements](#requirements)
+- [Installation](#installation)
+  - [Alternative Installation](#alternative-installation)
+- [FAQs](#faqs)
+  - [Will you add support for older PHP versions?](#will-you-add-support-for-older-php-versions)
+  - [It looks awesome. Where can I find some more goodies like this?](#it-looks-awesome-where-can-i-find-some-more-goodies-like-this)
+  - [This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?](#this-isnt-on-wporg-where-can-i-give-a-%EF%B8%8F%EF%B8%8F%EF%B8%8F%EF%B8%8F%EF%B8%8F-review)
+- [Feedback](#feedback)
+- [Change Log](#change-log)
+- [Security](#security)
+- [Credits](#credits)
+- [License](#license)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+## Goal
+
+Prevent the possibility of discovering usernames by various means.
+
+## Requirements
+
+- WordPress 6.1 or later
+- PHP 8.1 or later
+
+## Installation
+
+```bash
+$ composer require itinerisltd/itineris-prevent-wp-user-enumeration
+```
+
+### Alternative Installation
+
+Upload [itineris-prevent-wp-user-enumeration.php](./itineris-prevent-wp-user-enumeration.php) to `wp-content/plugins`.
+
+## FAQs
+
+### Will you add support for older PHP versions?
+
+Never! This plugin will only works on [actively supported PHP versions](https://secure.php.net/supported-versions.php).
+
+Don't use it on **end of life** or **security fixes only** PHP versions.
+
+### It looks awesome. Where can I find some more goodies like this?
+
+- Articles on [Itineris' blog](https://www.itineris.co.uk/blog/)
+- More projects on [Itineris' GitHub profile](https://github.com/itinerisltd)
+- Follow [@itineris_ltd](https://twitter.com/itineris_ltd) and [@\_codepuncher](https://twitter.com/_codepuncher) on Twitter
+- Hire [Itineris](https://www.itineris.co.uk/services/) to build your next awesome site
+
+### This isn't on wp.org. Where can I give a ⭐️⭐️⭐️⭐️⭐️ review?
+
+Thanks! Glad you like it. It's important to make my boss know somebody is using this project. Instead of giving reviews on wp.org, consider:
+
+- tweet something good with mentioning [@itineris_ltd](https://twitter.com/itineris_ltd)
+- star this Github repo
+- watch this Github repo
+- write blog posts
+- submit pull requests
+- [hire Itineris](https://www.itineris.co.uk/services/)
+
+## Feedback
+
+**Please provide feedback!** We want to make this library useful in as many projects as possible.
+Please submit an [issue](https://github.com/ItinerisLtd/itineris-prevent-wp-user-enumeration/issues/new) and point out what you do and don't like, or fork the project and make suggestions.
+**No issue is too small.**
+
+## Change Log
+
+Please see [CHANGELOG](./CHANGELOG.md) for more information on what has changed recently.
+
+## Security
+
+If you discover any security related issues, please email [email protected] instead of using the issue tracker.
+
+## Credits
+
+[Itineris Disable XML-RPC](https://github.com/ItinerisLtd/itineris-prevent-wp-user-enumeration) is a [Itineris Limited](https://www.itineris.co.uk/) project created by [Tang Rufus](https://typist.tech).
+
+Full list of contributors can be found [here](https://github.com/ItinerisLtd/itineris-prevent-wp-user-enumeration/graphs/contributors).
+
+## License
+
+[Itineris Disable XML-RPC](https://github.com/ItinerisLtd/itineris-prevent-wp-user-enumeration) is licensed under the GPLv2 (or later) from the [Free Software Foundation](http://www.fsf.org/).
+Please see [License File](LICENSE) for more information.

composer.json

@@ -0,0 +1,60 @@
+{
+  "name": "itinerisltd/itineris-prevent-wp-user-enumeration",
+  "description": "Prevent User Enumeration in WordPress to satisfy security reports.",
+  "license": "GPL-2.0-or-later",
+  "type": "wordpress-muplugin",
+  "keywords": [
+    "security",
+    "wordpress",
+    "users",
+    "owasp"
+  ],
+  "authors": [
+    {
+      "name": "Itineris Limited",
+      "email": "[email protected]",
+      "homepage": "https://itineris.co.uk/",
+      "role": "Company"
+    },
+    {
+      "name": "Lee Hanbury-Pickett",
+      "email": "[email protected]",
+      "homepage": "https://github.com/codepuncher/",
+      "role": "Developer"
+    }
+  ],
+  "homepage": "https://itinerisltd.github.io/itineris-prevent-wp-user-enumeration/",
+  "support": {
+    "email": "[email protected]",
+    "issues": "https://github.com/ItinerisLtd/itineris-prevent-wp-user-enumeration/issues",
+    "source": "https://github.com/ItinerisLtd/itineris-prevent-wp-user-enumeration"
+  },
+  "require": {
+    "php": "^8.1"
+  },
+  "require-dev": {
+    "itinerisltd/itineris-wp-coding-standards": "^0.4.1"
+  },
+  "prefer-stable": true,
+  "config": {
+    "allow-plugins": {
+      "dealerdirect/phpcodesniffer-composer-installer": true
+    },
+    "preferred-install": {
+      "*": "dist"
+    },
+    "sort-packages": true
+  },
+  "extra": {
+    "branch-alias": {
+      "dev-master": "0.1.x-dev"
+    }
+  },
+  "scripts": {
+    "pretag": [
+      "composer update",
+      "composer normalize",
+      "github_changelog_generator --no-verbose"
+    ]
+  }
+}

itineris-prevent-user-enumeration.php

@@ -0,0 +1,59 @@
+<?php
+/**
+ * Plugin Name:     Itineris Prevent WP User Enumeration
+ * Plugin URI:      https://github.com/ItinerisLtd/itineris-prevent-wp-user-enumeration
+ * Description:     Disable WordPress XML-RPC via actions and filters.
+ * Version:         0.1.0
+ * Author:          Itineris Limited
+ * Author URI:      https://itineris.co.uk
+ * License:         GPL-2.0-or-later
+ * License URI:     http://www.gnu.org/licenses/gpl-2.0.txt
+ */
+
+declare(strict_types=1);
+
+// If this file is called directly, abort.
+if (! defined('WPINC')) {
+    die;
+}
+
+// Make login errors generic.
+add_filter('login_errors', function (string $error): string {
+    $errors = $GLOBALS['errors'];
+    $error_codes = $errors->get_error_codes();
+    if (! in_array('invalid_username', $error_codes, true) && ! in_array('incorrect_password', $error_codes, true)) {
+        return $error;
+    }
+
+    return __('Something was wrong.', 'itineris-prevent-wp-user-enumeration');
+});
+
+// Disable /?author=ID.
+add_action('wp', function (): void {
+    /** @var WP_Query */
+    $wp_query = $GLOBALS['wp_query'];
+    $query_vars = $wp_query->query_vars;
+    if (empty($query_vars) || empty($query_vars['author'])) {
+        return;
+    }
+
+    $wp_query->set_404();
+    status_header(404);
+    nocache_headers();
+});
+
+// Remove user-related REST endpoints.
+add_filter('rest_endpoints', function (array $endpoints): array {
+    return array_filter(
+        $endpoints,
+        fn(string $endpoint): bool => (0 === preg_match('/^\/wp\/v2\/users/', $endpoint)),
+        ARRAY_FILTER_USE_KEY
+    );
+});
+
+// Remove user info from oEmbed data.
+add_filter('oembed_response_data', function (array $data): array {
+    unset($data['author_name']);
+    unset($data['author_url']);
+    return $data;
+});

phpcs.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+<ruleset name="Plugin">
+  <!-- Check only our site MU plugin -->
+  <file>./</file>
+
+  <!-- Show colors in console -->
+  <arg value="-colors" />
+
+  <!-- Show progress and sniff codes in all reports; Show progress of the run -->
+  <arg value="sp" />
+
+  <!-- Scan only PHP files -->
+  <arg name="extensions" value="php" />
+
+  <!-- Use Itineris WP Coding Standards -->
+  <rule ref="Itineris">
+    <exclude name="PSR12.Files.FileHeader" />
+
+    <exclude name="Squiz.Commenting.FunctionComment.MissingParamComment" />
+    <exclude name="Squiz.Commenting.FunctionComment.MissingParamName" />
+    <exclude name="Squiz.Commenting.FunctionComment.MissingParamTag" />
+
+    <exclude name="WordPress.NamingConventions.ValidVariableName" />
+    <exclude name="WordPress.WP.EnqueuedResourceParameters.MissingVersion" />
+  </rule>
+
+  <config name="minimum_supported_wp_version" value="6.1" />
+
+  <rule ref="WordPress.WP.I18n">
+    <properties>
+      <property name="text_domain" type="array" value="itineris-prevent-wp-user-enumeration" />
+    </properties>
+  </rule>
+</ruleset>