A Case Against Author Archives In WordPress

Author Archives in Wordpress

What Are Author Archives?

Author Select FieldWhen you write posts or pages (or any custom post type) for your WordPress site they are linked to you as the author.  The authors that get associated with posts are actually the back end users of your site.  There is a select box (left) on each post edit screen that allows you to select which user is the author of the piece of content.

The author archives are just dynamically generated pages that allows site visitors  to see all of the posts associated with a particular author (user). The author archives are pretty helpful in that if you read a piece of content that you really like, you can click on the author and review other content created by them.  From a site visitor’s perspective, this is a great thing (especially when there is a bio and links to the authors social media, so you can follow them for more great content).  Here is an example of an author archive: Author Archive Example.

 

So Why Is This A Bad Thing?

Looking through a simple Google search using search operators to expose these pages, you will find a pretty nicely done author archive here (Props Joe Hall). But, the vast majority are more like here, here, and here (Boo Majestic). This is because most owners of blogs care very little about these pages (if they even know they exist).  These are dynamically generated out-of-the-box from WordPress.  In the bad examples above, this can add pages and pages of really crappy content to your site (Panda say NO!).

That is not the worst part.  The really bad thing about author archives is that they can let malicious persons potentially gain access to your site if you are not careful.  Let’s take a look at the Majestic blog example linked above.  If you pull up their sitemap.xml file, you will find linked the author-sitemap.xml.  Perusing through that list, I see what the usernames are for all of their users — admin, barrie, rstlamedia-dk, etc. So if I wanted to, I could create a script that would send POST requests to their wp-login.php page, say 20 at-a-time increments over the course of the next month, until I found the correct password for one of their usernames.

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security.

Source

 

This is what it looks like in the wild:

In the above server log, you will see that the last POST request worked.  The hacker gained access. The level of harm this can bring to your site, depends on the level of permissions (author, editor, admin, etc) of the user that is selected for the brute force hack shown above.  At the very minimum, a malicious seo can get access and silently add links at will to the content of your pages.  At worst, the attacker could access your server and wreak havoc on your site (or sites).

 

What Can Be Done To Help ?

The WordPress Team

First off, this would be a very easy fix for the WordPress.org team.  Instead of using author archive urls that include the username (ie. http://blog.majesticseo.com/author/admin/) they could use a compound of the display_name column to produce the author pages (similar to the way they process post slugs currently).  This could be overridden on the user settings for users that wanted to hide their real name. Second, author archives could be off by default and only activated if using them on the Settings > Reading section of the admin area.

 

What You Can Do

The easiest first step would be to make sure you are not using an obvious username for your Administrator account.  admin is used by wayyyyy too may people and if your password is not really, really strong, you are asking for it.

The second thing is to install a useful plugin called Limit Login Attempts by  Johan Eenfeldt (please update the plugin Johan).  It allows you to specify a lockout period if someone tries to login too many times.  It will also alert you with an email (if checked) if someone is trying to brute force hack into your site.

Last, is to use Yoast’s WordPress SEO plugin to disable your author sitemap and/or author archive if you are not using them.

Disable Author Archives in WordPress SEO

Disable Author Archives in WordPress SEO

Disable Author Sitemap in WordPress SEO

Disable Author Sitemap in WordPress SEO

 

 

 

 

 

 

 

 

In Conclusion

I am only bringing this up because I have seen this happen and I want to try to get the word out to take some proactive steps to keep from being a victim.  I could probably write another 10 posts on WordPress security, but this is a big one that is happening now.  If you have any feedback or improvements to the article please drop them in the comments below.

Multi-Site User Replicator 3000

 

Description
This plugin will give you the ability to pull up any (non-Super Admin) user and in one click add that user(with a global role) to all sites in your MU install. Likewise, if you want to remove a user from all sites it is one click as well. CAUTION: WordPress has an optional mechanism when deleting a user from a site that will allow you to assign that users posts to another user. I have ignored this for this release. Please take a DB backups until you are used to this plugin and Multi-Site.

 

Name: Multi-Site User Replicator 3000
Contributors:  jroakes(me!)
Donate link: http://visiblecompany.com (here!)
Tags: user, multi-site, sites, mass edit,
Requires at least: 3.1 – Should work for previos versions.
Tested: 3.1
Stable tag: Trunk

** Please use this plugin at your own risk.  I offer no warranty or support.

WP3.1 multisite “mu-plugin” that allows you to add a user to all sites or no sites. Just drop in mu-plugins.


Installation
This section describes how to install the plugin and get it working.

1.  Upload `user-replicator-3000.php` to the `/wp-content/mu-plugins/` directory

2.  Find “Multi-Site User Replicator 3000” options at the bottom of Network Admin->Edit User

Frequently Asked Questions

– Will this plugin re-assign the posts of the deleted user? Not Now.

–  What will happen if I remove the plugin from the mu-plugins directory? Nothing. The users will still be assigned and the minimal data in the database will remain.

–  Can you bulk update a group of users at a time, but not all? Not Now.

–  The user has been deleted from some sites and I want to re-add to all. How do I do this? “Remove User From All Sites” and then “Add User to All Sites”

Screenshots

1.  Add User: Add user to all sites step.

2.  Delete User: Delete user to all sites step.

Changelog
= 0.1 =
* initial release (Just a fledgling)

Download
Click here