I was asked by a visitor how he could block requests like http://www.example.com/?author=1, as well as author
archive addresses like http://www.example.com/author/username/ using an
Apache .htaccess file. He
had read my article on securing
a WordPress blog and was annoyed to discover that such URLs existed on his blog without his knowledge.
For those who are not sure what my visitor is referring to, whenever someone types in a URL (ie, web address)
like http://www.example.com/?author=1 on a WordPress blog, he/she will be automatically redirected
to http://www.example.com/author/username/, where username is (by default) the login
name of the blogger with an ID of 1 (usually the admin user). Likewise, if you type
http://www.example.com/?author=2, you will be redirected to
http://www.example.com/author/anotherperson/ where anotherperson is the login name
of the blogger with an ID of 2, if such an account exists. And so on. This redirected address,
http://www.example.com/author/username/, contains a copy of the articles posted
by that particular user, and is often referred to as an author archive.
The method below uses .htaccess to prevent anyone (including you and your legitimate visitors)
from successfully accessing ?author=[number] and /author/[username]/.
For it to work, your blog has to be on a machine running the Apache web server software. This is often
the case if your site is hosted on a Linux
or FreeBSD system, but is unlikely to be the situation if it is running on a Windows machine.
Add the following to your .htaccess file in your blog's main directory.
The above must be added before any directives inserted by WordPress. That is, make sure the
rules here are listed before the line that says "# BEGIN WordPress" in the .htaccess
file.
The rules will fail any attempt to access URLs that begin with
http://www.example.com/?author= or http://www.example.com/author/,
where www.example.com is your blog's address, whether what follows is valid or not.
Note that this is not the only way to disable the author archives. You can also add an author.php
file to your WordPress theme (or alter it if one already exists) that does nothing except return a
404 error code. However,
the .htaccess solution is faster to execute and lightweight, since the request is processed directly
by the web server without having to run the more
resource-demanding
WordPress software. It also has the advantage in that it will not be overwritten if the theme gets updated.
Since my visitor did not tell me why he was concerned about the author archives, I will try to address two of the possible reasons why it irked him.
The first of these is that the author archives is yet another copy of your posts, identical to those on the individual article pages (the permalink pages). This potentially leads to duplicate content issues on search engines that some people try to avoid.
If this is your concern, then you should remember that the author archive is only one of the numerous places where your post is replicated throughout your blog. For example, take a look at your home page, category pages, monthly archives, tag pages, and possibly others. It is also duplicated in entirety in your RSS feed.
Depending on the WordPress theme that you're using, there are two ways to deal with this. Which way you take depends on what the theme does. You may even have to use both methods so that it works consistently across your home page and archives.
If your theme automatically uses excerpts on your home page and/or archive pages, you can either let WordPress generate the excerpt, or manually enter your own every time you make a post. The latter is useful in instances where the automatic generation leads to an excerpt that is truncated before anything useful is said. (WordPress simply extracts the first 55 or so words of your post when it creates the excerpt.)
To manually create your own excerpt, click the "Screen Options" button on the "Add a New Post" screen. It's at the top right corner of the screen (or at least it was, in the version of WordPress I used when I wrote this). A series of checkboxes will appear. Click the "Excerpt" checkbox to add an "Excerpt" field. This will allow you to write your own excerpt.
If you are using a theme that does not automatically create an excerpt, you can manually insert a Read More tag
into each post you make. That is, write the opening paragraph (or paragraphs) that will appear everywhere, then
click the "Insert Read More tag (Shift+Alt+T)" icon. (Hover your mouse over the various icons just above
the posting box to find the one with those words in the pop-up tooltip.) Alternatively, if you prefer
to post using the "Text" mode (rather than the "Visual" mode), you can insert your own Read More marker
by putting "<--more-->" (without the quotation marks) into the code.
Anything you type after that tag will only appear in your article (ie permalink) page.
You can also configure your RSS feed to use a summary instead of the full post. To do this, Click "Settings" followed by "Reading" in your WordPress dashboard. Click "Summary" for the "For each article in a feed, show" option. Note though that RSS feeds are not affected by search engine duplicate content issues. This is merely for those who prefer to use a summary instead of the full post.
Another possible reason for my visitor's desire to block author archive is that he did not want
disclose his user login name, which is revealed in the URL for the author archive page. That is,
an address of http://www.example.com/author/username/, by default, indicates that the
author has a login name of username.
If this is the reason, you should be aware that the author's username is also leaked on every post you make on your site, depending on the theme you use. You can see if this is the case for your blog by going to one of your posts. Somewhere on that page is a link that says something like "Posted by [author name]". Move your mouse so that the pointer hovers over the link, and you will find that it points to your author archive page.
To fix this, change the nickname of your WordPress login account. By default, it is set to your user name.
Go to your WordPress dashboard, click "Users" in the side column, followed by "Your Profile".
Enter a new name into the "Nickname" field, one that is different from your user name. Then go to the
"Display name publicly as" field and select something other than your user name, that is, either your nickname,
of whatever name that you have entered into the First Name and Last Name fields. When you're done, click the
"Update Profile" button at the bottom of the page. Your author archive address will now become
http://www.example.com/author/nickname/.
(And since you have disabled your author archive page with the .htaccess directives earlier,
you may also want to consider modifying your theme so that the "Posted by [author]" is not a link, but just
plain text. Otherwise visitors clicking the link will end up at an error page.)
Incidentally, if security is your concern, blocking the author queries/archives and changing the nickname are not sufficient in themselves. You should also take the commonly-advocated additional steps to secure a WordPress blog.
Using .htaccess directives to block author id and archive requests
is probably the most efficient way of preventing such queries from succeeding. However, if your reasons are one
of the common ones mentioned above, you will also need to take the additional steps given, otherwise it is
pointless.
Copyright © 2018 Christopher Heng. All rights reserved.
Get more free tips and articles like this,
on web design, promotion, revenue and scripting, from https://www.thesitewizard.com/.
Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.
This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.
It will appear on your page as:
How to Block the Author ID and Author Archive URLs in WordPress Blogs Using .htaccess
