[wp-hackers] Author URLs expose usernames

Tom Barrett tcbarrett at gmail.com
Wed Jul 18 04:13:25 UTC 2012


The main issue is exposing the username, passing an author id in the url is
just an easy way to find it.

The wp-author-slug plugin hides the username either way.

The next step is to remove the helpful login failure messages that let
hacker types search for user names.

Are they worth considering for inclusion into core?

//Tom
Sent on Android
On Jul 18, 2012 4:31 AM, "Chason Chaffin" <chason at gmail.com> wrote:

> Use an .htaccess and PHP doesn't even get invoked.
>
> I'll leave the Rewrite rule as an exercise for the reader.
>
> Sent from my iPhone
>
> On Jul 17, 2012, at 7:22 PM, Mike Schinkel <mike at newclarity.net> wrote:
>
> > On Jul 17, 2012, at 9:44 PM, Helen Hou-Sandi wrote:
> >> I use the following on sites that need author anonymity - seems to work
> >> well and stays in WP.
> >>
> >> // send author page requests into the 404 hole
> >> add_action( 'pre_get_posts', 'hhs_no_author_archives' );
> >> function hhs_no_author_archives( $query ) {
> >>   if ( $query->is_main_query() && $query->is_author() ) {
> >>       $query->is_author = false;
> >>       $query->is_404 = true;
> >>   }
> >> }
> >
> > Just FYI, if you use the 'after_setup_theme' hook and die() immediately
> you can bypass at least 4 SQL queries. If a bot is hammering a site those
> could add up to be significant.
> >
> > If you do it in a plugin and use 'plugins_loaded' you can bypass at
> least 26 SQL queries.
> >
> > Or you could add the following to wp-config.php and WordPress won't even
> have started loading:
> >
> > if ( preg_match( '#/\?author=[0-9]+$#', $_SERVER['REQUEST_URI'] ) ) {
> >    header('HTTP/1.0 404 Not Found');
> >    echo '404 Not Found';
> >    die();
> > }
> >
> > FWIW.
> >
> > -Mike
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list