Skip to content

Commit

Permalink
bugfix username endpoint was blocked when protections was disabled
Browse files Browse the repository at this point in the history
  • Loading branch information
developeregrem committed Jul 23, 2020
1 parent 598efcd commit 5a683ce
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 6 deletions.
4 changes: 2 additions & 2 deletions wp-author-security/readme.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@
Contributors: mgm-sp
Tags: security, user enumeration
Requires at least: 4.7
Tested up to: 5.3
Tested up to: 5.4
Requires PHP: 5.6
Stable tag: 1.1.1
Stable tag: 1.1.2
License: GPLv3

Protect against user enumeration attacks on author pages.
Expand Down
7 changes: 3 additions & 4 deletions wp-author-security/wp-author-security.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* Description: Protects against user enumeration attacks for author pages. By default, Wordpress will display some sensitive information on author pages. The author page is typically called by requesting the URI https://yourdomain.com/?author=<id> or with permalinks https://yourdomain.com/author/<username>. The page will include the full name (first and last name) as well as the username of the author which is used to login to Wordpress. In some cases, it is not wanted to expose this information to the public. An attacker is able to brute-force valid IDs or valid username. This information might be used for further attacks like social-engineering attacks or login brute-force attacks with gathered usernames. By using the extension, you are able to disable the author pages either completely or only for users that do not have any published posts yet. When the page is disabled the default 404 page not found is displayed.
* Author: mgm-sp
* Author URI: https://www.mgm-sp.com
* Version: 1.1.1
* Version: 1.1.2
* License: GPL3
* Plugin URI: https://github.com/mgm-sp/wp-author-security
*/
Expand All @@ -27,16 +27,15 @@ function check_author_request() {

$field = '';
$value = '';
$author = get_query_var('author', false);
$author = get_query_var('author', false); // when the username is passed, wp will return the existing user id here
$authorName = get_query_var('author_name', false);


// matches requests to "/author/<username>"
if ( $authorName && get_option( 'protectAuthorName' ) != AuthorSettingsEnum::DISABLED ) {
$field = 'login';
$value = trim($authorName);
// matches requests to "?author=<id>"
} else if ( $author && get_option( 'protectAuthor' ) != AuthorSettingsEnum::DISABLED ) {
} else if ( $author && !$authorName && get_option( 'protectAuthor' ) != AuthorSettingsEnum::DISABLED ) {
$field = 'id';
$value = intval($author);
} else {
Expand Down

0 comments on commit 5a683ce

Please sign in to comment.