[wp-hackers] Author URLs expose usernames

Helen Hou-Sandi helen.y.hou at gmail.com
Wed Jul 18 01:44:29 UTC 2012


> Is it not possible to just 404 any URLs like that? Are direct URLs needed
> anywhere?
>
> Here's code you can drop into your theme do return 404 for those URLs:
>
> class No_Direct_Author_Attack {
>         function __construct() {
>                 add_action( 'after_setup_theme', array( $this,
> 'after_setup_theme' ) );
>         }
>         function after_setup_theme() {
>                 if ( preg_match( '#/\?author=[0-9]+$#',
> $_SERVER['REQUEST_URI'] ) ) {
>                         status_header( 404 );
>                         die( '404 — File not found.' );
>                 }
>         }
> }
> new No_Direct_Author_Attack;
>
>
I use the following on sites that need author anonymity - seems to work
well and stays in WP.

// send author page requests into the 404 hole
add_action( 'pre_get_posts', 'hhs_no_author_archives' );
function hhs_no_author_archives( $query ) {
    if ( $query->is_main_query() && $query->is_author() ) {
        $query->is_author = false;
        $query->is_404 = true;
    }
}


More information about the wp-hackers mailing list