[wp-hackers] Author URLs expose usernames
Mike Schinkel
mike at newclarity.net
Wed Jul 18 02:22:23 UTC 2012
On Jul 17, 2012, at 9:44 PM, Helen Hou-Sandi wrote:
> I use the following on sites that need author anonymity - seems to work
> well and stays in WP.
>
> // send author page requests into the 404 hole
> add_action( 'pre_get_posts', 'hhs_no_author_archives' );
> function hhs_no_author_archives( $query ) {
> if ( $query->is_main_query() && $query->is_author() ) {
> $query->is_author = false;
> $query->is_404 = true;
> }
> }
Just FYI, if you use the 'after_setup_theme' hook and die() immediately you can bypass at least 4 SQL queries. If a bot is hammering a site those could add up to be significant.
If you do it in a plugin and use 'plugins_loaded' you can bypass at least 26 SQL queries.
Or you could add the following to wp-config.php and WordPress won't even have started loading:
if ( preg_match( '#/\?author=[0-9]+$#', $_SERVER['REQUEST_URI'] ) ) {
header('HTTP/1.0 404 Not Found');
echo '404 Not Found';
die();
}
FWIW.
-Mike
More information about the wp-hackers
mailing list