You can bruteforce WordPress users;

wpscan –url prepperhacker.nl –enumerate u

[+] We did not enumerate any usernames

next step would have been: wpscan –url www.prepperhacker.nl –wordlist rockyou.txt –username admin

It was prevented by .htaccess:

RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} ^author=\d+ [NC,OR]
RewriteCond %{QUERY_STRING} ^author=\{num
RewriteRule ^ – [L,R=403]

Source: https://wordpress.stackexchange.com/questions/46469/can-i-prevent-enumeration-of-usernames