Lets start with the basics, user enumeration is a process of identifying the WordPress users login name on WordPress by providing the user number.
So for instance you can put something like
Obviously change the domain name, and if you have no protection, and WordPress permalinks turned on you will get back the login user name for user 1, often that is the primary administrator.
Enumeration is the simple process of trying each number in turn, 1, 2 ,3 4, etc etc
Frighteningly easy isn’t it. That is user enumeration.
But so what, you have a user name. You can’t login can you without a password? Can you?
Some people think that having the username is half way to logging in, and it is only is you use really weak passwords like ‘password123’. Simple answer is to use strong passwords – that means at least 9 random characters e.g. T2Te@t1LW – or if for memorability 4 dictionary words and a few bits of randomness thrown in e.g. <nailphonecaveatplug>
So why do you want to stop user enumeration then?
User enumeration is a technique used by scanning tools when they are probing your WordPress website for weaknesses. Scanning tools are used by hackers, so if you can detect a tool scanning your website then you are in a position at least to block that attack, as something worse may shortly be coming from that IP. It isn’t fool proof of course, because it doesn’t take much to scan from one IP and attack from another, but most hackers, when it comes to WordPress are lazy, and if they find a locked down site they move on ( automatically) to the next.
It is possible ( but clumsy ) to block user enumeration by using .htaccess rules, but that isn’t really the point here, the need is to block the enumeration and then block further attempts by locking out the offending IP address.