You can bruteforce WordPress users;
wpscan –url prepperhacker.nl –enumerate u
[+] We did not enumerate any usernames
next step would have been: wpscan –url www.prepperhacker.nl –wordlist rockyou.txt –username admin
It was prevented by .htaccess:
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} ^author=\d+ [NC,OR]
RewriteCond %{QUERY_STRING} ^author=\{num
RewriteRule ^ – [L,R=403]
Source: https://wordpress.stackexchange.com/questions/46469/can-i-prevent-enumeration-of-usernames