Usernames revealed in Post’s and Page’s source code

  • Resolved eddyferns

    (@eddyferns)


    3 years, 7 months ago

    Hi,

    With “Protect against username enumeration” settings all enabled, usernames are still revealed in the Post’s and Page’s source code as below:

    <div class="posted-by"><span class="posted-on">Published <time class="entry-date published updated" datetime="2021-03-09T19:58:21+00:00">March 9, 2021</time></span><span class="byline">By <a href="https://www.site1.com/author/john/" rel="author">harry</a></span></div>

    ‘john’ is the database user_nicename, and ‘harry’ is the public display name of the WordPress user login ID.

    Regards,
    Ed

    • This topic was modified 3 years, 7 months ago by eddyferns.
Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Which theme are your using?

    Thread Starter eddyferns

    (@eddyferns)

    Twenty Twenty-One.

    Plugin Author nintechnet

    (@nintechnet)

    Your theme leaks the usernames, you would likely need to edit it, as I don’t think any plugin could prevent that.
    There was a similar discussion here a long time ago: https://www.ads-software.com/support/topic/user-enumeration-through-author-archives/
    Some plugins too can leak them.

    Thread Starter eddyferns

    (@eddyferns)

    I did a couple of times plugged the leak by delving and altering themes code.

    Was wondering if there was one fix for this issue as all other attempts to hide usernames comes to a nought.

    Just using Twenty Twenty-One for test purpose. There are other themes that provide hiding author names as an option. In themes that don’t there is work to do.

    Thanks for your input.

    Plugin Author nintechnet

    (@nintechnet)

    They rely on the WP API by calling functions to display the authors’ name. I think that only patching the code using a child theme or so will work.

    Thread Starter eddyferns

    (@eddyferns)

    Indeed removing the author’s name can be achieved with the child theme by calling and modifying the functions that inject the meta data.

    For different themes one has to search for the files that contain the code. In some themes there is more than one function that echos author information.

    Those plugins that claim to hide author do not know how effective they are. And I personally do not prefer to have a plugin just to hide author data.

    So I thought if the same is achievable it would be another good feature for Ninja.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Usernames revealed in Post’s and Page’s source code’ is closed to new replies.