Username revealed in URL

Hi julesjules,
Wordfence will prevent revealing usernames by using oEmbed API and the WordPress REST API, for example check these methods described in the documentation.

It sounds like your theme is showing these usernames in the post meta links or something similar, we have a detailed guide regarding how to “safely fetch a list of users posts” which I think you will have to use instead of the method your theme author is using.

Thanks.

Hi Wfalaa, thank you for your kind help.

I read the documentation page, thanks. I’m not familiar with the methods that are protected by Wordfence, but I think your reply indicates the problem is caused by my theme. I am struggling to understand this.

I never need to fetch a list of users. There is only one user (me) and archives are listed by date. My theme is Twenty Fifteen, latest version, so hopefully that would not have a bad security issue of revealing usernames. I did not find the username in page source when I checked a few pages.

Is there anything else in Wordfence that I can check, in case I did not set it up correctly for preventing usernanes being revealed?

@julesjules, most themes reveal the user name, because that is part of standard WordPress functionality picked up by all themes. The username is part of the default author archives link, and will typically show up in the Meta section of every post. (Around where you see the author name on screen). Unless that theme specifically have options to turn certain meta info off.

Mind you, that even plugins that “turn off author archives”, such as Yoast SEO and others typically do not actually remove author archives or even the links to author archives.
They simply add a redirect on the “all posts by this author” link, making it consistently redirect to for example the home-page. Which will make such things as Google stop calling on it. They then cannot index author archives and create “duplicate content”.
But it DOES NOT remove the actual link to “View all posts by this author” (domainname.com/author/username) from the HTML code or from being visible to users. Hence the username still appears. To remove that, you will have to “fix” the theme. Directly or indirectly.

Try right-click on your post web-page, view source-code, then hit Ctrl-F to search for your user-name. You will typically see where the user-name appears in the HTML. Typically in the Meta information for the posting where they also show the posting date.

To remove that, one would have to either add a filter on wordpress functions like get_author_meta(), the_author(), and others. Removing or replacing the username.
OR one would have to run off a modified theme (using a child-theme). In the child theme one could replace certain template files with versions that do not spew out the bad parts of author info, such as the login name that is part of the author archive link..

Mind you, that Google et all REQUIRE author name-info in the meta to accept being presented with a valid Schema for the page. Or their schema checker will complain about “missing author field”.
But one can replace that with only the Author name just fine. I for example have replaced author meta with only author name (no link behind it to click on, so no way to even TRY to click on to an author archive). But that is done in the theme programming behind it. By filtering away standard WordPress theme behavior.

Thank you Caleb for your help. I don’t know WordPress programming. I just want to keep my simple website as secure as possible and I ‘m grateful that Wordfence is a huge help for security. Only not with this author/username issue.

After a lot more searching and reading, I came to understand: the author link is constructed as …/author/user_nicename

BUT WordPresss (including current version) has automatically set user_nicename to be the same as username. To me it seems very bad policy, as regards security, that WordPress exposes the username automatically. WordPress does not provide an easy way for me to set a different user_nicename.

I think now: I have to find out how to edit my WordPress database to change user_nicename to be different to username. Editing the database is a scary prospect for a non-technical person ??

Wishlist item for Wordfence: a new option for Wordfence to automatically change user_nicename. It could be changed to display name (that we can set in WordPress user profile) or something else, only must be different to username.

user_nicename is merely a url sanitized version of user_login. In general, if you don’t use any special characters in your login, then your nicename will always be the same as login. (check your users table.. If you use normal login names, there is NO difference between the user_login and user_nicename columns).
But if you enter for example email address in the login field during registration, then you will see a difference.

For instance, if your login is [email protected] then you will have userexample-com as the nicename and it will be used in author’s urls (like author’s archive, post permalink, etc). The only way to otherwise change the user_nicename”, is manual intervention in the database, or filtering.
(WordPress’ get_author_posts_url() function provides the filter “author_link” for changing the final, resulting URL to author pages before it is returned. (Of course filtering the link down to empty (href=””) would then effectively turn off author pages, as each author link would then point to the post page itself. ??
No where to go. ??

If you by chance are confusing “Nice name” with the user accounts “Display publicly as” choice, or the Nickname, they are NOT related to ‘user_nicename’, which is an internal thing normal users have no direct control over..

The URL-path for author archives cannot change every time someone change “nick name” or “Display As” name. The URL is supposed to stay stable, or GoogleBot would go nuts trying to keep up with your changing URL addresses and apparently moving locations.
And BTW, that is one reason that the login-/user-name is the ONE thing you cannot change in your user account info. Once set, your login name stays the same. And is used permanently in the author URL. (the “/author/username” path).
So also for the “user_nicename”, which is set when the user is created, and is as mentioned just a sanitized (URL capable) version of the login name, just in case users use weird characters in logins or use email addresses.