Check if xmlrpc.php is open and whether your usernames leak.
Demo tool — results are sample data, not a live lookup.
Two classic WordPress attack surfaces are xmlrpc.php and user enumeration. xmlrpc.php can be abused for brute-force amplification and pingback attacks, while the REST API endpoint /wp-json/wp/v2/users and the ?author=1 query can hand attackers a list of valid usernames to target.
This tool checks whether those endpoints are exposed, so you can decide whether to disable XML-RPC and block user enumeration before a bot finds them for you.
If nothing you use depends on it (some older apps and Jetpack features do), disabling it removes a whole class of attacks. Otherwise, rate-limit and challenge it instead.
Knowing a valid username is half of a brute-force attempt. Hiding usernames forces attackers to guess both fields.
A security plugin or firewall (or CDN rules) can disable xmlrpc.php, block ?author= scans, and require authentication for the REST users endpoint.
Performance, security, and the WordPress tooling you need — fully managed, so these checks stay green.