What file permissions are needed while editing?

Anonymity in the sense that an author is typically not identified along with a given page or post.

We have been using this:

# send username enumeration to Home Page
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ /? [L,R=301]
# send /author/ scans to Home Page
RedirectMatch (?i)^/author.*$ /
</IfModule>

You modified two of those lines to improve their ability to work properly past 99, but we still want the query sent to “Home” and not to “Forbidden”.

I still do not understand. Can you give me an example?

The Query String should load the Theme’s 404 template file and display a 404 Not Found error and not a 403 Forbidden error. A 404 error is going to be natural and not give any clues to a hacker bot. A 403 error will tell the hacker bot that a security measure has been implemented. In this case it is better to have a 404 error.

Try something like this in the link below.

https://stackoverflow.com/questions/12810307/htaccess-remove-query-string-on-redirect

The Query String should load the Theme’s 404 template file and display a 404 Not Found error and not a 403 Forbidden error.

We want it to go to “Home” instead of either of those, like you can see here:
www.nnysandbox.net/?author=0
www.nnysandbox.net/?author=99

This is a good explanation of how to strip off the Query String.

https://stackoverflow.com/questions/8956475/remove-query-string-from-redirected-url-with-htaccess

You were close to the answer… You have the ? on the wrong side. Put it on the redirect side to strip off the query string:

RewriteRule ^viewtopic.php https://www.myurl.org.uk/? [L,R=301]
In a 301 redirect, mod_rewrite will normally append the full query string. But placing a ? at the end of your rewritten URL without a corresponding [QSA] (“querystring append”) flag will instruct it instead to use the blank query string you supplied.

Ok look at these 2 example links and tell me what should be different. Using these Query Strings produces a 404 error, loads the Theme’s 404 template inside of the “Home” template file for the Theme. To the hacker bot this means that the author ID / User ID / Username does not exist on this website. It is completely natural and is exactly what would happen if the author ID / User ID / Username did not actually exist, but the author ID does exist on this website.

www.ait-pro.com/verum/?author=1
www.ait-pro.com/verum/sample-page/?author=1

Ok look at these 2 example links and tell me what should be different.

We want to land at “Home”, not an error page.

Why? A legimate person would not use the /?author=1 Query String and only a hacker bot would use this Query String so I don’t understand why you would want the redirect.

Why? A legimate person would not use the /?author=1

Maybe, or maybe not. If someone wanted to find all the authors at a given site and catalog their stuff in whatever way, stepping through the numbers could facilitate that. But overall, we want to just quietly be anonymous while also being silent even about that.

Ok, but redirecting what should be a normal 404 error then tells the hacker bot that something has been done to hide author ID’s on this website.

Going by the example in the StackOverflow link you would do something like this: RewriteRule ^author=([0-9]){1,} https://www.ait-pro.com/verum/? [L,R=301]

oops forgot the ? to strip off the Query String. Edited/added above.

redirecting what should be a normal 404 error then tells the hacker bot that something has been done to hide author ID’s on this website.

Ah, now I see your point, and I thank you!

Yeah, in this particular case a 404 error is the optimum choice to choose since most likely only a dirt bag will use that Query String so it will not negatively impact legit users or SERPS. ??

Just for the heck of it another way to do that redirect would be this going by the StackOverflow example:

RewriteCond %{QUERY_STRING} ^author=([0-9]){1,}$ [NC]
RewriteRule ^verum/$ https://www.ait-pro.com/verum/? [L,R=301]

So then, and on a similar matter, what would you say about a scan for content from a known author (username) being returned to “Home”?

# send /author/ scans to Home Page
RedirectMatch (?i)^/author.*$ /

example: www.nnysandbox.net/author/anyusername/

Will that get a hacker fired up or mess something else up that would otherwise be legitimate?

What type of scan would that be? cURL? DOM? I’m not 100% sure if these types of scans of the source code of a website could be blocked using .htaccess code. If the Request has something in it that can be checked/filtered/blocked then it can be blocked using whatever the “something” is. I will have to experiment with this to see what does and does not work. Will post back here after I play around with this.

https://stackoverflow.com/questions/9391137/can-servers-block-curl-requests