Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#48374 closed defect (bug) (invalid)

Username in Source Code

Reported by: briannie's profile briannie Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: privacy Cc:


I cannot understand why the username is clearly shown in the source code. I don't know if this should be shown under Defect, enhancement or feature request but it seems to be something that requires fixing.

Change History (4)

#1 @sebastienserre
5 years ago

Hello @briannie and thanks to open a ticket
Where do you see the username in the source code?
Do you have a file and a line number to show us?

#2 @briannie
5 years ago

Thanks for the quick response. My description was not that accurate. Hackers seem to know that by entering /?author=1 they will get the username. Here are two examples:

I hope that helps.

#3 @sebastienserre
5 years ago

OK, I understood and I think your request is plugin territory

These URLs came from WordPress when it was only a Blog platform. Nowaday we make lots of kind of website and this URL allways exists.

If you want to disable, I suggest to redirect visitosrs with this kinfd of code:

function author_page_redirect() {
    if ( is_author() ) {
        wp_redirect( home_url() );
add_action( 'template_redirect', 'author_page_redirect' );

Last edited 5 years ago by sebastienserre (previous) (diff)

#4 @ocean90
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from major to normal
  • Status changed from new to closed

Hello @briannie, welcome to WordPress Trac!

Usernames or user IDs not a security issue, see

Do not report potential security vulnerabilities here.
See the Security FAQ and visit the WordPress HackerOne program.

Note: See TracTickets for help on using tickets.