WordPress Tip of the Day – Author Lockdown

Author Lockdown

With a proliferation of automated bots crawling the web, many with less than good intentions, you may want to block enumeration of your author permalink(s). To demonstrate the problem, run the following query, substituting your domain name:

http://yourdomainname.com/?author=1

you can increment the number until your author permalink is displayed. Here’s a sample screen shot to demonstrate:

author6

which results in this:

author6r640

and as you can see, the authors username is displayed in the resulting url.

To prevent this, we can implement the following code in our .htaccess file:

# WP AUTHOR ENUMERATION BOT PROBE PROTECTION
# Redirects to author=999999 that does not actually exist
# which results in a standard 404 error. To the hacker bot
# it appears that this author does not exist without giving
# any clues that the author does actually exist.

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]

Now when the same query is run, the result will be a 404 not found.

While this is better, author links will still expose the 
author's username as seen in the following screenshot:


With the mouse cursor hovering over the link “View all posts by Author Demo”, the author username is visible in the lower left hand corner. To fix this we install the plugin – Display Name Author Permalink. After installing and activating, the author’s username is replaced with their Display name as seen below:

authordisplayname640

Bad bots are often in search of two things – a username and a password. They need both to attempt to access your site. By implementing the above, we’re making them work harder to get the first.

WordPress Tip of the Day - Author Lockdown

One Response to WordPress Tip of the Day – Author Lockdown

  1. Chris March 14, 2014 at 4:53 am #

    Excellent article – good source of information. Thank you for sharing

Leave a Reply