Friday, October 16, 2015

WordPress security : disallow author query

Friday afternoon. Looking at the access log... here are some "nice" requests. Happened at the same millisecond, and look very "hack-ish" to me.

54.80.2.64 - - [16/Oct/2015:18:46:25 +0000] "HEAD /?author=5 HTTP/1.1" 404 159 "-" "-"
54.80.2.64 - - [16/Oct/2015:18:46:25 +0000] "HEAD /?author=1 HTTP/1.1" 404 159 "-" "-"
54.80.2.64 - - [16/Oct/2015:18:46:25 +0000] "HEAD /?author=3 HTTP/1.1" 404 159 "-" "-"
54.80.2.64 - - [16/Oct/2015:18:46:25 +0000] "HEAD /?author=2 HTTP/1.1" 404 159 "-" "-"
54.80.2.64 - - [16/Oct/2015:18:46:25 +0000] "HEAD /?author=4 HTTP/1.1" 404 159 "-" "-"


Well, they all resulted in 404 Page not found...

...because I have this in .htaccess:

# - Do not allow author query to avoid real names exposure
RewriteCond %{QUERY_STRING} ^author=\d+
RewriteRule ^ - [R=404,L]

It's that simple. :)