[wp-hackers] Author URLs expose usernames

Mike Schinkel mike at newclarity.net
Wed Jul 18 02:22:23 UTC 2012


On Jul 17, 2012, at 9:44 PM, Helen Hou-Sandi wrote:
> I use the following on sites that need author anonymity - seems to work
> well and stays in WP.
> 
> // send author page requests into the 404 hole
> add_action( 'pre_get_posts', 'hhs_no_author_archives' );
> function hhs_no_author_archives( $query ) {
>    if ( $query->is_main_query() && $query->is_author() ) {
>        $query->is_author = false;
>        $query->is_404 = true;
>    }
> }

Just FYI, if you use the 'after_setup_theme' hook and die() immediately you can bypass at least 4 SQL queries. If a bot is hammering a site those could add up to be significant. 

If you do it in a plugin and use 'plugins_loaded' you can bypass at least 26 SQL queries.

Or you could add the following to wp-config.php and WordPress won't even have started loading:

if ( preg_match( '#/\?author=[0-9]+$#', $_SERVER['REQUEST_URI'] ) ) {
	header('HTTP/1.0 404 Not Found');
	echo '404 Not Found';
	die();
}

FWIW.

-Mike



More information about the wp-hackers mailing list