Site search results can include passworded posts
|Reported by:||coffee2code||Owned by:||ShaneF|
By default, WordPress's built-in search feature searches the contents of passworded posts. If the content of a passworded post
matches the search criteria, WordPress will include that post in the listing of search results. While it is true that the
post contents will not be displayed to the visitor (unless they know and have entered the password for the post), the fact that
the otherwise protected post appeared in the search results allows for the visitor to search-bomb your site in an effort to deduce
some of the content of the password-protected post.
Of course, external search (as done from Google) would never include the passworded post contents since that content is not available to external search engines.
I have released a plugin that addresses the issue and prevents passworded posts from being included in search results, but this may be something we may want to consider for core.
The attached patch prevents passworded posts from being included in search results on the front-end of the site (i.e. by visitors). It does not add the constraint on searches performed within the admin.
The drawback, of course, is that a visitor couldn't legitimately perform a search and find a passworded post that they may have the password for. Hence a privacy vs. usability issue, and I vote that privacy prevails. (I've seen the search-bomb happen, so it's a real concern.)
Change History (12)
- Owner changed from anonymous to ShaneF
- Status changed from new to assigned