In WordPress, you’ll check in a couple of authors, and every writer may have their very own URL. The issue is this writer URL displays the writer’s username, which poses a safety chance in your WordPress web page. For the reason that writer username is uncovered, attackers may use it to try to log in or brute-force their approach into your web page.
To resolve this drawback, we will masks the writer URL with a randomized ID like UUID. This fashion, the writer URL won’t divulge the writer’s username and will likely be extra protected.
We’ll be having a look at two approaches: The arduous approach, the place we write the code ourselves, and the straightforward approach, the place we use a plugin.
So, with out additional ado, let’s see the way it works.
The Onerous Method
To start, create a brand new PHP record, as an example uuid-slug.php, inside of both the /wp-content/plugin listing or the /wp-content/mu-plugins/ listing, to load it as a must-use plugin. This record will comprise the plugin headers…
/** * Plugin bootstrap record. * * This record is learn by way of WordPress to show the plugin's knowledge within the admin space. * * @wordpress-plugin * Plugin Title: Writer UUID Slug * Plugin URI: https://github.com/hongkiat/wp-author-uuid-slug * Description: Use UUID for the writer URL. * Model: 1.0.0 * Calls for no less than: 6.0 * Calls for PHP: 7.4 * Writer: Thoriq Firdaus * Writer URI: https://github.com/tfirdaus */
…and the common sense required to put in force UUID-based writer URLs. On this case, we will be able to supply a easy enter within the consumer profile editor so as to add the UUID.
add_action('show_user_profile', 'add_uuid_field_to_profile');
add_action('edit_user_profile', 'add_uuid_field_to_profile');
serve as add_uuid_field_to_profile($consumer)
{
$uuid = get_user_meta($user->ID, '_uuid', true);
?>
|
|
For safety causes, this enter will solely be lively and editable for customers with the manage_options permission, so solely directors will be capable to upload or replace the UUID for customers. Customers with out the right kind permissions will see the enter as read-only.
Trade the Writer URL
Subsequent, we want to regulate the writer URL to make use of the UUID as an alternative of the writer’s username. This can also be accomplished by way of imposing the author_link filter out, as proven under:
add_filter('author_link', 'change_author_url', 10, 3);
serve as change_author_url($hyperlink, $author_id, $author_nicename)
{
$uuid = get_user_meta($author_id, '_uuid', true);
if (is_string($uuid)) {
go back str_replace('/' . $authorSlug, '/' . $uuid, $hyperlink);
}
go back $hyperlink;
}
This implementation will replace the generated URL for the writer, affecting each the front-end theme and the admin interface.
Dealing with Queries for Writer Archives
Since we’ve changed the URL construction for writer archive URLs, we additionally want to take care of the corresponding queries. With out this, WordPress would go back a 404 Now not Discovered error as it wouldn’t acknowledge learn how to question authors by way of their _uuid metadata.
To put in force this capability, we will make the most of the pre_get_posts hook as proven under:
add_action('pre_get_posts', 'author_uuid_query');
serve as author_uuid_query($question) {
/**
* If the permalink construction is ready to standard, the writer will have to be queried
* by way of the consumer ID.
*/
if ((bool) get_option('permalink_structure') === false) {
go back;
}
$author_name = $query->query_vars['author_name'] ?? '';
if (! is_string($author_name) || ! is_uuid($author_name)) {
$query->is_404 = true;
$query->is_author = false;
$query->is_archive = false;
go back;
}
$customers = get_users([
'meta_key' => '_uuid',
'meta_value' => $author_name,
]);
if (depend($customers) <= 0) {
$query->is_404 = true;
$query->is_author = false;
$query->is_archive = false;
go back;
}
$consumer = $customers[0];
if (! $consumer instanceof WP_User) {
$query->is_404 = true;
$query->is_author = false;
$query->is_archive = false;
go back;
}
$query->set('author_name', $user->user_nicename);
}
The code above verifies whether or not the permalink construction is ready to one thing instead of the default “Simple” environment. We exclude dealing with queries for the “Simple” permalink construction as a result of WordPress makes use of the writer ID (?writer=) fairly than the author_name on this case.
Converting the Writer Slug in REST API
The consumer’s username may be uncovered within the /wp-json/wp/v2/customers REST API endpoint. To toughen safety, we’ll regulate this by way of changing the username with the UUID. This can also be completed by way of imposing the rest_prepare_user hook as demonstrated under:
add_filter('rest_prepare_user', 'change_user_slug_in_rest_api', 10, 2);
serve as change_user_slug_in_rest_api($reaction, $consumer)
{
$information = $response->get_data();
if (is_array($information)) {
$uuid = get_user_meta($author_id, '_uuid', true);
if (is_string($uuid)) {
$information['slug'] = $uuid;
}
}
$response->set_data($information);
go back $reaction;
}
With this implementation, the writer URL will now make the most of the UUID as an alternative of the username. Any makes an attempt to get entry to the writer URL the usage of the unique username will lead to a 404 no longer discovered error.
Whilst this resolution works successfully for smaller websites or the ones with restricted customers, it could possibly turn into bulky to control when coping with numerous customers. In such instances, imposing UUIDs manually for every consumer can be time-consuming and impractical.
Due to this fact, let’s discover another manner that provides a extra streamlined resolution.
The Simple Method
For a more practical resolution, we’ll make the most of a plugin referred to as Function Flipper. This plugin supplies a number of safety features, together with the facility to obfuscate usernames the usage of UUIDs.
You'll be able to set up the plugin at once from the Plugins segment for your WordPress dashboard. After set up and activation, navigate to Settings > Function > Safety and allow the Obfuscate Usernames possibility.
Whenever you’ve stored the settings, the plugin will mechanically generate UUIDs for all current customers to your web page. Moreover, it's going to assign UUIDs to any new customers upon registration.
Conclusion
Enforcing UUIDs for writer URLs is an efficient safety measure that is helping offer protection to your WordPress web page by way of concealing writer usernames. This manner considerably reduces the danger of brute-force assaults and unauthorized get entry to makes an attempt.
During this educational, we’ve explored two implementation strategies. For many who desire a customized resolution, your complete supply code is to be had in our GitHub repository. On the other hand, the Function Flipper plugin gives a more uncomplicated manner for customers searching for a ready-made resolution.
The submit Tips on how to Use UUID for WordPress Writer URL gave the impression first on Hongkiat.
WordPress Website Development Source: https://www.hongkiat.com/blog/wordpress-uuid-author-url-security-guide/