The problem with the WordPress author page
While using WordPress to build your beautiful new website, you do not want hackers to access the back end as administrator and deface your all new nice looking baby ! But it’s probably the case as the WordPress author page will give the whole world your admin login !
Even worst, you do not want your website used as a bot or something like that.
Wait … What ? Yes, but don’t worry, you’re at the right place to learn how to disable the author page of your WordPress website.
But what’s wrong with the WordPress author page ?
The problem is that WordPress generates a page to list all posts of user, and this page has a well known URL to display it : http://www.yourdomain/author/admin (try it on your WordPress instance).
It also can be found by using the WordPress API with another URL : http://www.yourdomain/wp-json/wp/v2/users/1
How to fill the leak of the WordPress author page ?
There are multiple steps to proceed. Here is some steps to complete to tell WordPress disable author page :
Redirect the request of the author page to your home page
At first, you have to hook the request of this page in your function.php theme file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
/* * Avoid to serve author page. * If this page is served, it makes life easier for hackers to get admin login. */ function disable_author_page() { global $wp_query; if ( is_author() && !is_admin() ) { wp_redirect( home_url(), 301 ); exit; } } add_action( 'template_redirect', 'disable_author_page' ); |
Now, test the page http://www.yourdomain/author/admin and you should redirected to your home page.
You should also test the api url mentionned above, and if it respond something else that a 404 page or the gome page, add the code below too.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
/* * Disable rest endpoints for author */ function disable_rest_endpoints( $endpoints ) { if ( isset( $endpoints['/wp/v2/users'] ) ) { unset( $endpoints['/wp/v2/users'] ); } if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) { unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ); } return $endpoints; } add_filter( 'rest_endpoints', 'disable_rest_endpoints'); |
Check the Google indexed pages
You may not know that it is possible to know which pages Google has indexed for your website.
And no, I’m not talking about your Google Search Console which is only accessible with your Google account.
It is visible for anyone using Google as a search engine !
Did you ever heard about Google commands ? The one that interests us is site:
Do the test ! Go on Google and type site:yourdomain.be (do not write the HTTP and WWW parts).
You now get a list of all Google indexed pages, and it can be scary as there is a lot of pages you never heard before.
First of all, you have to clean up every single page, post or whatever in your WordPress admin.
There is also a lot of plugins to clean it up and even block indexation of some page types.
The last option is to connect to your Google Search Console and ask Google to remove desired pages from its index.
Take a look on my other tips for your WordPress theme !