Author meta data added to my site, however not what I wanted to see

I was reviewing my live traffic on a site that has WordFence installed and found that a bot was attempting to view pages by using my author meta data. In some situations this might be an acceptable search, but I did not want this to be an option for my sites. WordFence has as part of its standard edition where it blocks attempts to search for user names by blocking the ?author=N and the new wp-json/wp/v2 api for users that have not been authenticated. There is good reason for WordFence to block this access. When an attacker wants to brute force your login, why give them access to half of the information? While not a true security procedure, as it is a better practice to ensure strong passwords, I choose to not make it any easier for an attacker.

I am not 100% positive at this moment, but I noticed that a link to my author name was embedded into the source of a web page in the same area where Yoast SEO adds meta data. I checked my settings under “Titles & Metas” / “Archives” and found that the “Author archives” setting was enabled. I still need to research how this works and how an attacker can search my site to enumerate my user name. In the meantime, I have disabled this option just in case. If you have suggestions on how to enumerate author names, I will test on my developement server to see if this option in Yoast is where the ability is created.

This is a great reminder that you should update and review your passwords for all your accounts often. I have seen suggestion for review every 30 days, but I find that in doing this users tend to create simpler passwords in order to remember them easier. I prefer to generate odd passwords and look them up in a cheat sheet as often as I need to. What ever your choice, just know that if an attacker wants to get to your site they will try what they need so don’t make it any easier for them.


Add a Comment

Your email address will not be published. Required fields are marked *