It's possible to enumerate a list of WordPress users by using the "forgot password" form. If you enter a username/email that DOESN'T exist, you receive an error telling you as much. And if you enter a username/email that DOES exist, it will confirm that fact with a success message:
I'd like to have this form return the same message either way, but I can't seem to find the right WordPress hooks to do this. Has anyone tackled this before or have any suggestions on how to obfuscate the response?
You can try this: