[wp-trac] [WordPress Trac] #64281: Usernames exposed in wp-sitemap-users.xml is a security risk
WordPress Trac
noreply at wordpress.org
Thu Nov 20 13:06:04 UTC 2025
#64281: Usernames exposed in wp-sitemap-users.xml is a security risk
--------------------------+-----------------------------
Reporter: azulstudio | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Sitemaps | Version:
Severity: major | Keywords:
Focuses: |
--------------------------+-----------------------------
Description
The WordPress core sitemap feature currently generates a users sitemap at
/wp-sitemap-users.xml (and /wp-sitemap-users-1.xml for pagination). This
sitemap exposes login usernames of all registered users, including
administrators.
This is a serious security concern because:
It provides attackers with a complete list of valid login usernames.
Brute‑force and credential‑stuffing attacks become significantly easier
once usernames are known.
Publishing usernames adds no SEO value — display names are already
available for author archives and can serve the same purpose without
exposing credentials.
Steps to Reproduce
Enable WordPress core sitemaps (default since WP 5.5).
Visit /wp-sitemap-users-1.xml.
Observe that administrator login usernames are listed.
Expected Behavior
Usernames should never be exposed publicly.
Either:
The users sitemap should be disabled by default, or
The sitemap should use display names instead of login usernames.
Actual Behavior
Login usernames are exposed in the sitemap.
This creates a direct attack vector for brute‑force attempts.
Suggested Fix
Remove the users sitemap entirely (recommended, as it adds no SEO value).
Alternatively, replace login usernames with display names.
Provide a simple admin setting to disable the users sitemap without
requiring custom code edits.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64281>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list