This is a really simple fix which will block the user enumeration on a wordpress site (like the method by wpscan).
Before I get into this, I am very well aware of the IfIsEvil page on nginx wiki. But it also says on this page, “The only 100% safe things which may be done inside if in location context are: return and rewrite as the last statement in a location block” With that in mind, we are going to use ONLY rewrite as the last statement in our location block.