How to Block the Author ID and Author Archive URLs in WordPress Blogs Using .htaccess

Preventing Author Queries/Enumeration and Archives on WordPress


How to Block the Author ID and Author Archive URLs in WordPress Blogs Using .htaccess

by Christopher Heng, thesitewizard.com

I was asked by a visitor how he could block requests like http://www.example.com/?author=1, as well as author archive addresses like http://www.example.com/author/username/ using an Apache .htaccess file. He had read my article on securing a WordPress blog and was annoyed to discover that such URLs existed on his blog without his knowledge.

What do Author=ID and Author Archive URLs Mean?

For those who are not sure what my visitor is referring to, whenever someone types in a URL (ie, web address) like http://www.example.com/?author=1 on a WordPress blog, he/she will be automatically redirected to http://www.example.com/author/username/, where username is (by default) the login name of the blogger with an ID of 1 (usually the admin user). Likewise, if you type http://www.example.com/?author=2, you will be redirected to http://www.example.com/author/anotherperson/ where anotherperson is the login name of the blogger with an ID of 2, if such an account exists. And so on. This redirected address, http://www.example.com/author/username/, contains a copy of the articles posted by that particular user, and is often referred to as an author archive.

How to Use .htaccess to Block the Author=ID and Archives URLs

The method below uses .htaccess to prevent anyone (including you and your legitimate visitors) from successfully accessing ?author=[number] and /author/[username]/. For it to work, your blog has to be on a machine running the Apache web server software. This is often the case if your site is hosted on a Linux or FreeBSD system, but is unlikely to be the situation if it is running on a Windows machine.

Add the following to your .htaccess file in your blog's main directory.

RewriteEngine On
RewriteCond %{QUERY_STRING} ^author= [NC]
RewriteRule .* - [F,L]
RewriteRule ^author/ - [F,L]

The above must be added before any directives inserted by WordPress. That is, make sure the rules here are listed before the line that says "# BEGIN WordPress" in the .htaccess file.

The rules will fail any attempt to access URLs that begin with http://www.example.com/?author= or http://www.example.com/author/, where www.example.com is your blog's address, whether what follows is valid or not.

Note that this is not the only way to disable the author archives. You can also add an author.php file to your WordPress theme (or alter it if one already exists) that does nothing except return a 404 error code. However, the .htaccess solution is faster to execute and lightweight, since the request is processed directly by the web server without having to run the more resource-demanding WordPress software. It also has the advantage in that it will not be overwritten if the theme gets updated.

If Your Concern is Duplicate Content: Other Things to Do

Since my visitor did not tell me why he was concerned about the author archives, I will try to address two of the possible reasons why it irked him.

The first of these is that the author archives is yet another copy of your posts, identical to those on the individual article pages (the permalink pages). This potentially leads to duplicate content issues on search engines that some people try to avoid.

If this is your concern, then you should remember that the author archive is only one of the numerous places where your post is replicated throughout your blog. For example, take a look at your home page, category pages, monthly archives, tag pages, and possibly others. It is also duplicated in entirety in your RSS feed.

Depending on the WordPress theme that you're using, there are two ways to deal with this. Which way you take depends on what the theme does. You may even have to use both methods so that it works consistently across your home page and archives.

You can also configure your RSS feed to use a summary instead of the full post. To do this, Click "Settings" followed by "Reading" in your WordPress dashboard. Click "Summary" for the "For each article in a feed, show" option. Note though that RSS feeds are not affected by search engine duplicate content issues. This is merely for those who prefer to use a summary instead of the full post.

If Your Concern is Information Leakage: Changing the Nickname (user_nicename)

Another possible reason for my visitor's desire to block author archive is that he did not want disclose his user login name, which is revealed in the URL for the author archive page. That is, an address of http://www.example.com/author/username/, by default, indicates that the author has a login name of username.

If this is the reason, you should be aware that the author's username is also leaked on every post you make on your site, depending on the theme you use. You can see if this is the case for your blog by going to one of your posts. Somewhere on that page is a link that says something like "Posted by [author name]". Move your mouse so that the pointer hovers over the link, and you will find that it points to your author archive page.

To fix this, change the nickname of your WordPress login account. By default, it is set to your user name. Go to your WordPress dashboard, click "Users" in the side column, followed by "Your Profile". Enter a new name into the "Nickname" field, one that is different from your user name. Then go to the "Display name publicly as" field and select something other than your user name, that is, either your nickname, of whatever name that you have entered into the First Name and Last Name fields. When you're done, click the "Update Profile" button at the bottom of the page. Your author archive address will now become http://www.example.com/author/nickname/.

(And since you have disabled your author archive page with the .htaccess directives earlier, you may also want to consider modifying your theme so that the "Posted by [author]" is not a link, but just plain text. Otherwise visitors clicking the link will end up at an error page.)

Incidentally, if security is your concern, blocking the author queries/archives and changing the nickname are not sufficient in themselves. You should also take the commonly-advocated additional steps to secure a WordPress blog.

Conclusion

Using .htaccess directives to block author id and archive requests is probably the most efficient way of preventing such queries from succeeding. However, if your reasons are one of the common ones mentioned above, you will also need to take the additional steps given, otherwise it is pointless.

Copyright © 2018 Christopher Heng. All rights reserved.
Get more free tips and articles like this, on web design, promotion, revenue and scripting, from https://www.thesitewizard.com/.

thesitewizard™ News Feed (RSS Site Feed)  Subscribe to thesitewizard.com newsfeed

Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.

Please Do Not Reprint This Article

This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.

Related Articles

New Articles

How to Link to This Page

It will appear on your page as:

How to Block the Author ID and Author Archive URLs in WordPress Blogs Using .htaccess





Home
Donate
Contact
Link to Us
No Spam Policy
Privacy Policy
Topics
Site Map

Getting Started
Web Design
Search Engines
Revenue Making
Domains
Web Hosting
Blogging
JavaScripts
PHP
Perl / CGI
HTML
CSS
.htaccess / Apache
Newsletters
General
Seasonal
Reviews
FAQs
Wizards

 

 
Free webmasters and programmers resources, scripts and tutorials
 
HowtoHaven.com: Free How-To Guides
 
Site Design Tips at thesitewizard.com
Find this site useful?
Please link to us.