I’m wondering if there’s a way to make 100% sure a user’s info is not available to the public. Our theme is not currently using a profile page, but I did notice that there is a ‘Posts by author’ page for each user.
Aside from that, is there anywhere else a user’s info may show up? I’m hoping to have no info be displayed anywhere on the site, including a user’s email address, name, username, etc.
The reason for this is that our WordPress user’s will have very sensitive information, and that they will not want to be public in any way shape or form.
Question: Where in public/not logged in request can author info be exposed?
1 Answer
This is dependant on your theme/plugins so it’s impossible to answer, as s_ha_dum mentioned.
For example some themes output the author name in the body as a class like <body class="author-keanu">
or maybe they just use the author id like <body class="archive author-22">
and then you can check the author by going to www.example.com/?author=22
and maybe the template hierarchy has an author page, or a plugin added one, or maybe not.
Since there are lots of WP functions that can output/or use author/nicename or author id’s the only real solution is to audit your theme/plugin code.
Another important note is that you can guess if a username exists using WP’s login. for example if you guess an existing username of “Jane” the error will be:
ERROR: The password you entered for the username Jane is incorrect.