Support » Plugin: The SEO Framework » The best way to disable author archives for security?

  • Resolved david1103

    (@david1103)


    Hi,

    I have read that for sites with one author it’s a great idea to totally disable the author archives to prevent it being possible to enumerate all users. I used to do this in Yoast, can I do it with this plugin? THANKS.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Sybre Waaijer

    (@cybr)

    Hi @david1103,

    The author archives impose a security issue in such a way that the author IDs are revealed. With that information the attacker can execute a brute force attack in order to gain admin access. Other ways can impose a forged and specifically targeted SQL injection.

    First and foremost, this is not an exposure of a direct vulnerability, because it doesn’t allow a direct attack.

    It’s just extra information that’s being used to make an attack easier. This information can be acquired in multiple ways, one of which are the author archives. Others are the REST API… and there are many more ways.

    Think of it like this: The moment you send an e-mail to anyone, half of your login information is given to the receiver: id est your e-mail address. It only misses the other half: your password.

    To truly protect you from this, you require at least one of the following:

    1. Brute Force protection※. If this is enforced, you’re fine.
    2. Use two-factor authentication. This only protects accounts on which it’s enabled. Highly recommended for admin accounts.
    3. Move WordPress login endpoints (don’t do this, it’s a pain with long-term issues).
    4. Disable login access from anything but your IP. This should be handled only through SSH/FTP, not through plugins.

    Second, this has nothing to do with The SEO Framework :), apart from that a hacked site is bad for SEO.
    Third, it has everything to do with WordPress Core and Security plugins.

    So, if you really want to follow up on protection yourself from the information “leak”, you should get yourself a security plugin. Just be warned: when such a plugin is configured wrongfully, they can harm your site in multiple ways. So please do your research beforehand.

    I hope this helps! Best of luck! 🙂

    ※ This, although stupidly discussed otherwise, should be handled in WP Core. Seriously, WP Core team…? You’re exposing millions of websites to easy dictionary attacks because you believe security is “plugin material”? With PHP7+ becoming common, this vulnerability is getting more severe. /rant
    Luckily, Two-factor seems to be planned for WordPress Core.

    Thread Starter david1103

    (@david1103)

    Thanks for your detailed and helpful reply!

    Two-factor in core seems like a great idea. I tried some security plugins, and they were a bloated mess, for now my extreme length random character passwords will be enough to let me sleep at night 🙂

    Plugin Author Sybre Waaijer

    (@cybr)

    Hi @david1103,

    You’re absolutely right!

    If you use JetPack, I think remote brute force protection has been implemented in there, if I’m not mistaken.

    And if you’re interested in two-factor, this is the one seemingly planned for Core:
    https://wordpress.org/plugins/two-factor/

    Please note it’s still in development (there are still some open bugs), but it works mostly as expected 🙂

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘The best way to disable author archives for security?’ is closed to new replies.