Hidden Page (Security Question)

> Please do not post answers to this question unless you are certain of the answer.

We’re all here to help Patrick, and we all have different levels and knowledge of expertise. If you don’t trust the answers, hire a developer so you can point to someone for accountabilty.

Repectful indexing is of your site / page is determined from the meta-tags, and your robots.txt file. However not all index engines are repsectful.

If you want to have a page only available to people who receive an email with the link to it, then set it up properly using one of these approaches:
– membership site
https://en-ca.www.ads-software.com/plugins/ultimate-member/
– restrcited content:
https://www.ads-software.com/plugins/restrict-content/
– passowrd protected page:
https://www.ads-software.com/plugins/password-protect-page/

Yes. It would show up in your sitemap (unless you specifically exclude it from that. So, if you’re using a plugin like Yoast SEO, noindex it and exclude it from the site map.

“Please do not post answers to this question unless you are certain of the answer.” That’s very unwelcoming.

Look folks I honestly do appreciate your willingness to help – there must be a better way to warn people in advance of a tricky or difficult question?

@corrinarusso : I see that you have been helping many people on these forums – thank you. Regarding this question I’ve asked, I think I made it abundantly clear in my original post that I am not looking for a “membership” solution. I am talking about a page that is normally “invisible” to everyone who doesn’t have a link but visible to those who do. Simple question! There is nothing improper about doing this – on dropbox for example you can give access to anyone who has a link (which you would send them in an email). But thanks for taking your time to help people on these forums!

Steve: Thanks for taking your time to moderate this forum. As I mentioned in the original post, I know I could noindex the page (and I thought it would be obvious enough that I would know enough to not put it into my sitemap)

I couldn’t think of a better way to say it – this is a tricky question. But I think it’s an important one because people are always trying to break into websites. There are “user enumeration” hacks that brute-forcers use to find usernames before trying to brute force passwords. I just want to know if anyone knows if there’s a similar way to – for example – get a list of all pages on the site …even the ones that aren’t on a menu somewhere (and if so, is there a way to prevent it?).

My question assumes that the page is not present in the sitemap.

The answer is yes, and they gave you the correct answer. Don’t be an ass.

Remove from sitemaps.
Add to robots.txt
No index etc – you have that covered.

Generate a long random url like md5 hash plus.

If you want to add a bit more then expire the link after a short period of time, if they visit from email later just display link expired / instructions how to re request.

That’s how most do it.

It is never 100% gauranteed but that is the nature of publishing to the web.

Edit: if you want to use another level of security, some also use oauth of well know cloud services ( e.g. Google and O365 Twitter Facebook ) to verify access to the page.

• This reply was modified 2 years, 10 months ago by Alan Fuller.
• This reply was modified 2 years, 10 months ago by Alan Fuller. Reason: Oauth

Even if you removed it from the sitemap it would still be listed if you issue a command to the REST API. For example if you go to the rollingstone.com and issue https://www.rollingstone.com/wp-json/wp/v2/pages it will return a json string of all the pages on the site. You could change pages to post and get all the post on the site. I think the REST API is turned on by default. If you turn it off you could cause dynamic blocks on your site to have a problem.

If a hacker is trying to break into your site. They are going to use tools to break in. They won’t come to your site and follow menu links. They will try to automate the process. If you not going to require authentication then they will probably find the pages in the end.

• This reply was modified 2 years, 10 months ago by mrtom414.

Thank you @mrtom414 ! Yes, a problem with the rest API is exactly what I was afraid of (and yes, it is turned on by default). I’m already disabling endpoints for user enumeration …so I’ll have to look into disabling endpoints for page enumeration.

Since starting this thread I’ve discovered that the “Unlist Posts and Pages” plugin is doing what I need – but that plugin just approaches the problem from the database perspective (and adds a “noindex”); I don’t see anything in the code addressing the REST API vulnerability.

Regarding the dynamic blocks question, I’m not using the block editor and I’m not up to speed on dynamic blocks functionality …and I wouldn’t be turning off REST API entirely …just disabling the page related endpoint(s) specifically. You’re saying that the site could have a problem with dynamic blocks only if I turn the REST API off completely, right? Thanks very much for your reply @mrtom414.

Alan, thanks for the input.

I ran a test just now using the “Unlist Posts and Pages” plugin and verified that when a page is set as “unlisted” using that plugin, it is hidden even with the REST API call mentioned by @mrtom414. So this would seem to indicate that the plugin is blocking db queries from the REST API. That’s great! Kudos to this plugin developer. Thanks again @mrtom414 !

Dynamic blocks will probably play a bigger role in the future. if you want to have blocks that show content in real time you will need the REST API. Also, There a trend toward headless websites using packages like gatsby. Using the REST API would then be required. WordPress adds a nounce to the page to prevent cross site scripting. I think the real security concerns would be if you are running remote applications off your database. You would then have to implement authentication. Like Allen pointed out.