[wp-hackers] Author URLs expose usernames

Mike Little wordpress at zed1.com
Tue Jul 17 15:18:39 UTC 2012

On 17 July 2012 15:04, Harry Metcalfe <harry at dxw.com> wrote:

> On 17/07/12 12:12, Mike Little wrote:
>> Ah, I should have checked that! Will the core keep those old URLs live if
> nicename changes?
No, I don't think it will (unlike posts and pages), you may need to tap
into the query processing.

The rewrite rules will convert the url to a query var: author_name =
'author-slug-from-url'; There are no filters around parsing that: the code
will simply call get_user_by('slug', $q['author_name']).

I think you should:

hook into 'pre_get_posts',
look for author_name being set and call get_user_by('slug',
if you get a result, you're done.
else, call get_user_by('login', $q['author_name']),
if that works, get the user's slug (user_nicename) and update query var
author_name to match.

Hope that helps,

Mike Little

More information about the wp-hackers mailing list