diff --git a/app/finders/users/wp_json_api.rb b/app/finders/users/wp_json_api.rb
index 73b23f36..25c1a9f3 100644
--- a/app/finders/users/wp_json_api.rb
+++ b/app/finders/users/wp_json_api.rb
@@ -42,12 +42,16 @@ module WPScan
         def users_from_response(response)
           found = []
 
-          JSON.parse(response.body)&.each do |user|
-            found << Model::User.new(user['slug'],
-                                     id: user['id'],
-                                     found_by: found_by,
-                                     confidence: 100,
-                                     interesting_entries: [response.effective_url])
+          json = JSON.parse(response.body)
+
+          if json.is_a? Enumerable
+            json.each do |user|
+              found << Model::User.new(user['slug'],
+                                      id: user['id'],
+                                      found_by: found_by,
+                                      confidence: 100,
+                                      interesting_entries: [response.effective_url])
+            end
           end
 
           found
diff --git a/spec/app/finders/users/wp_json_api_spec.rb b/spec/app/finders/users/wp_json_api_spec.rb
index a9af123e..64453dfb 100644
--- a/spec/app/finders/users/wp_json_api_spec.rb
+++ b/spec/app/finders/users/wp_json_api_spec.rb
@@ -25,6 +25,12 @@ describe WPScan::Finders::Users::WpJsonApi do
         its(:aggressive) { should eql([]) }
       end
 
+      context 'when a string response' do
+        let(:body) { '404' }
+
+        its(:aggressive) { should eql([]) }
+      end
+
       context 'when a JSON response' do
         context 'when unauthorised' do
           let(:body) { File.read(fixtures.join('401.json')) }