This is searchable archive of our old support forums, which operated from 2012 - 2016. To find out how to get support for your current theme, please visit our support page.

Tagged: , ,

Author URL and security, remove author link

  • Creator
    Topic
  • #25597
    vnp
    Participant

    It’s not a bug, it’s a feature (request :).
    Global option to unlink author URL, or even remove author from meta, of maybe switch to a safer URL

    For lots of sites I make, clients don’t really need an ‘author’ in the post meta.
    Date & category is nice; the author(s) may or may not be shown for them. The author meta, however, always has a URL in wordpress that reveals the user login name in the url (like /author/admin). In my view this is a security flaw in WordPress, but that’s how WP works.

    Hiding it with CSS only visually hides the username. Disabling/Redirecting an author blog doesn’t remove the username from the original page either. What I wished for was to completely ban any loginname from any generated page.

    Using the String Swap plugin it’s easy to remove from the single posts. However: in Jumpstart’s Grid mode (and a few other features), this author name/URL remains active & visible.
    There are options to enable or disable the META info, but that also removes post date, which I mostly wish to keep.

    So I keep copying in this code I found somewhere in my child theme functions.php . It replaces the username with the nice name in the URL.

    add_filter( 'request', 'wpse5742_request' );
    function wpse5742_request( $query_vars )
    {
    if ( array_key_exists( 'author_name', $query_vars ) ) {
    global $wpdb;
    $author_id = $wpdb->get_var( $wpdb->prepare( "SELECT user_id FROM {$wpdb->usermeta} WHERE meta_key='nickname' AND meta_value = %s", $query_vars['author_name'] ) );
    if ( $author_id ) {
    $query_vars['author'] = $author_id;
    unset( $query_vars['author_name'] );
    }
    }
    return $query_vars;
    }
    add_filter( 'author_link', 'wpse5742_author_link', 10, 3 );
    function wpse5742_author_link( $link, $author_id, $author_nicename )
    {
    $author_nickname = get_user_meta( $author_id, 'nickname', true );
    if ( $author_nickname ) {
    $link = str_replace( $author_nicename, $author_nickname, $link );
    }
    return $link;
    }

    This way you can still choose wether you would like to use the author archives or not, hide or show it with CSS, without revealing any info in the source.
    I hope this helps some one, and maybe it triggers an idea for an option in Jumpstart.

    • This topic was modified 5 years, 5 months ago by vnp.
Viewing 1 replies (of 1 total)
  • Author
    Replies
  • #25614
    Jason Bobich
    Keymaster

    Hi,

    I totally understand where you’re coming from. If you look at WordPress trac, this is something that has come up several times by people and been disputed and argued over. Ultimately, the people around WordPress in control don’t seem to agree that this is a security risk. And so it remains the way it is.

    Anyway, the structure of author archive URL’s isn’t something that’s a theme issue, and I’d honestly probably never put something into the theme that disabled it, or messed with WordPress is doing there.

    This issue you’re running into is obviously a common one that you’re going to have no matter what theme you’re using, as I’m sure you’ve already figured out. But a lot of people like using this plugin. You should check it out:

    https://wordpress.org/plugins/edit-author-slug/

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.