Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#48374 closed defect (bug) (invalid)

Username in Source Code

Reported by: briannie's profile briannie Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: privacy Cc:

Description

I cannot understand why the username is clearly shown in the source code. I don't know if this should be shown under Defect, enhancement or feature request but it seems to be something that requires fixing.

Change History (4)

#1 @sebastienserre
5 years ago

Hello @briannie and thanks to open a ticket
Where do you see the username in the source code?
Do you have a file and a line number to show us?

#2 @briannie
5 years ago

Thanks for the quick response. My description was not that accurate. Hackers seem to know that by entering /?author=1 they will get the username. Here are two examples:

https://catoconsultancy.co.uk/?author=1
reveals
https://catoconsultancy.co.uk/author/chris-12

https://cherchat.org/?author=1
reveals
https://cherchat.org/author/amanda

I hope that helps.

#3 @sebastienserre
5 years ago

OK, I understood and I think your request in plugin territory

These URLs came from WordPress when it was only a Blog platform. Nowaday we make lots of kind of website and this URL allways exists.

If you want to disable, I suggest to redirect visitosrs with this kinfd of code:

function author_page_redirect() {
    if ( is_author() ) {
        wp_redirect( home_url() );
    }
}
add_action( 'template_redirect', 'author_page_redirect' );

https://wordpress.stackexchange.com/questions/182236/completely-remove-the-author-url

Version 0, edited 5 years ago by sebastienserre (next)

#4 @ocean90
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from major to normal
  • Status changed from new to closed

Hello @briannie, welcome to WordPress Trac!

Usernames or user IDs not a security issue, see https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue.


Do not report potential security vulnerabilities here.
See the Security FAQ and visit the WordPress HackerOne program.

Note: See TracTickets for help on using tickets.