[wp-hackers] Author URLs expose usernames

Chason Chaffin chason at gmail.com
Wed Jul 18 03:31:04 UTC 2012


Use an .htaccess and PHP doesn't even get invoked. 

I'll leave the Rewrite rule as an exercise for the reader. 

Sent from my iPhone

On Jul 17, 2012, at 7:22 PM, Mike Schinkel <mike at newclarity.net> wrote:

> On Jul 17, 2012, at 9:44 PM, Helen Hou-Sandi wrote:
>> I use the following on sites that need author anonymity - seems to work
>> well and stays in WP.
>> 
>> // send author page requests into the 404 hole
>> add_action( 'pre_get_posts', 'hhs_no_author_archives' );
>> function hhs_no_author_archives( $query ) {
>>   if ( $query->is_main_query() && $query->is_author() ) {
>>       $query->is_author = false;
>>       $query->is_404 = true;
>>   }
>> }
> 
> Just FYI, if you use the 'after_setup_theme' hook and die() immediately you can bypass at least 4 SQL queries. If a bot is hammering a site those could add up to be significant. 
> 
> If you do it in a plugin and use 'plugins_loaded' you can bypass at least 26 SQL queries.
> 
> Or you could add the following to wp-config.php and WordPress won't even have started loading:
> 
> if ( preg_match( '#/\?author=[0-9]+$#', $_SERVER['REQUEST_URI'] ) ) {
>    header('HTTP/1.0 404 Not Found');
>    echo '404 Not Found';
>    die();
> }
> 
> FWIW.
> 
> -Mike
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list