Opened 7 months ago
Closed 7 months ago
#64281 closed defect (bug) (invalid)
Usernames exposed in wp-sitemap-users.xml is a security risk
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Sitemaps | Keywords: | |
| Focuses: | Cc: |
Description
Description
The WordPress core sitemap feature currently generates a users sitemap at /wp-sitemap-users.xml (and /wp-sitemap-users-1.xml for pagination). This sitemap exposes login usernames of all registered users, including administrators.
This is a serious security concern because:
It provides attackers with a complete list of valid login usernames.
Brute‑force and credential‑stuffing attacks become significantly easier once usernames are known.
Publishing usernames adds no SEO value — display names are already available for author archives and can serve the same purpose without exposing credentials.
Steps to Reproduce
Enable WordPress core sitemaps (default since WP 5.5).
Visit /wp-sitemap-users-1.xml.
Observe that administrator login usernames are listed.
Expected Behavior
Usernames should never be exposed publicly.
Either:
The users sitemap should be disabled by default, or
The sitemap should use display names instead of login usernames.
Actual Behavior
Login usernames are exposed in the sitemap.
This creates a direct attack vector for brute‑force attempts.
Suggested Fix
Remove the users sitemap entirely (recommended, as it adds no SEO value).
Alternatively, replace login usernames with display names.
Provide a simple admin setting to disable the users sitemap without requiring custom code edits.
Hi there and welcome to WordPress Trac!
The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.
This includes, for example, retrieving the list of site users through the REST API Users endpoint, GET /wp-json/wp/v2/users. Making this publicly accessible is intentional. The same goes for the XML sitemaps.
See https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue for more information.
In the future, if you believe you have found a vulnerability in WordPress, please keep it confidential and report it to the WordPress Security Team.