A Case Against Author Archives In WordPress

Author Archives in Wordpress

What Are Author Archives?

Author Select FieldWhen you write posts or pages (or any custom post type) for your WordPress site they are linked to you as the author.  The authors that get associated with posts are actually the back end users of your site.  There is a select box (left) on each post edit screen that allows you to select which user is the author of the piece of content.

The author archives are just dynamically generated pages that allows site visitors  to see all of the posts associated with a particular author (user). The author archives are pretty helpful in that if you read a piece of content that you really like, you can click on the author and review other content created by them.  From a site visitor’s perspective, this is a great thing (especially when there is a bio and links to the authors social media, so you can follow them for more great content).  Here is an example of an author archive: Author Archive Example.


So Why Is This A Bad Thing?

Looking through a simple Google search using search operators to expose these pages, you will find a pretty nicely done author archive here (Props Joe Hall). But, the vast majority are more like here, here, and here (Boo Majestic). This is because most owners of blogs care very little about these pages (if they even know they exist).  These are dynamically generated out-of-the-box from WordPress.  In the bad examples above, this can add pages and pages of really crappy content to your site (Panda say NO!).

That is not the worst part.  The really bad thing about author archives is that they can let malicious persons potentially gain access to your site if you are not careful.  Let’s take a look at the Majestic blog example linked above.  If you pull up their sitemap.xml file, you will find linked the author-sitemap.xml.  Perusing through that list, I see what the usernames are for all of their users — admin, barrie, rstlamedia-dk, etc. So if I wanted to, I could create a script that would send POST requests to their wp-login.php page, say 20 at-a-time increments over the course of the next month, until I found the correct password for one of their usernames.

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security.



This is what it looks like in the wild:

In the above server log, you will see that the last POST request worked.  The hacker gained access. The level of harm this can bring to your site, depends on the level of permissions (author, editor, admin, etc) of the user that is selected for the brute force hack shown above.  At the very minimum, a malicious seo can get access and silently add links at will to the content of your pages.  At worst, the attacker could access your server and wreak havoc on your site (or sites).


What Can Be Done To Help ?

The WordPress Team

First off, this would be a very easy fix for the WordPress.org team.  Instead of using author archive urls that include the username (ie. http://blog.majesticseo.com/author/admin/) they could use a compound of the display_name column to produce the author pages (similar to the way they process post slugs currently).  This could be overridden on the user settings for users that wanted to hide their real name. Second, author archives could be off by default and only activated if using them on the Settings > Reading section of the admin area.


What You Can Do

The easiest first step would be to make sure you are not using an obvious username for your Administrator account.  admin is used by wayyyyy too may people and if your password is not really, really strong, you are asking for it.

The second thing is to install a useful plugin called Limit Login Attempts by  Johan Eenfeldt (please update the plugin Johan).  It allows you to specify a lockout period if someone tries to login too many times.  It will also alert you with an email (if checked) if someone is trying to brute force hack into your site.

Last, is to use Yoast’s WordPress SEO plugin to disable your author sitemap and/or author archive if you are not using them.

Disable Author Archives in WordPress SEO

Disable Author Archives in WordPress SEO

Disable Author Sitemap in WordPress SEO

Disable Author Sitemap in WordPress SEO









In Conclusion

I am only bringing this up because I have seen this happen and I want to try to get the word out to take some proactive steps to keep from being a victim.  I could probably write another 10 posts on WordPress security, but this is a big one that is happening now.  If you have any feedback or improvements to the article please drop them in the comments below.

Leave a Comment.