[wp-hackers] Author URLs expose usernames
Helen Hou-Sandi
helen.y.hou at gmail.com
Wed Jul 18 01:44:29 UTC 2012
> Is it not possible to just 404 any URLs like that? Are direct URLs needed
> anywhere?
>
> Here's code you can drop into your theme do return 404 for those URLs:
>
> class No_Direct_Author_Attack {
> function __construct() {
> add_action( 'after_setup_theme', array( $this,
> 'after_setup_theme' ) );
> }
> function after_setup_theme() {
> if ( preg_match( '#/\?author=[0-9]+$#',
> $_SERVER['REQUEST_URI'] ) ) {
> status_header( 404 );
> die( '404 — File not found.' );
> }
> }
> }
> new No_Direct_Author_Attack;
>
>
I use the following on sites that need author anonymity - seems to work
well and stays in WP.
// send author page requests into the 404 hole
add_action( 'pre_get_posts', 'hhs_no_author_archives' );
function hhs_no_author_archives( $query ) {
if ( $query->is_main_query() && $query->is_author() ) {
$query->is_author = false;
$query->is_404 = true;
}
}
More information about the wp-hackers
mailing list