UPDATE: This is no longer necessary as WordPress will now return a not found to the query below.

Author Lockdown

With a proliferation of automated bots crawling the web, many with less than good intentions, you may want to block enumeration of your author permalink(s). To demonstrate the problem, run the following query, substituting your domain name:

you can increment the number until your author permalink is displayed. Here’s a sample screen shot to demonstrate:


which results in this:


and as you can see, the authors username is displayed in the resulting url.

To prevent this, we can implement the following code in our .htaccess file:

# Redirects to author=999999 that does not actually exist
# which results in a standard 404 error. To the hacker bot
# it appears that this author does not exist without giving
# any clues that the author does actually exist.

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^(.*)$ $1?author=999999 [L]

Now when the same query is run, the result will be
a 404 not found.

While this is better, author links will still expose the 
author's username as seen in the following screenshot:

With the mouse cursor hovering over the link “View all posts by Author Demo”, the author username is visible in the lower left hand corner. To fix this we install the plugin – Display Name Author Permalink. After installing and activating, the author’s username is replaced with their Display name as seen below:


Bad bots are often in search of two things – a username and a password. They need both to attempt to access your site. By implementing the above, we’re making them work harder to get the first.

WordPress Tip of the Day - Author Lockdown

[et_bloom_inline optin_id=optin_1]