New Author Path
An author URL displays all posts published by a specific author on your WordPress site. By default, these URLs use the /author/ slug, which makes them easily identifiable as part of a WordPress installation.
This feature allows you to customize the default /author/ endpoint, replacing it with a unique slug such as /contributor/ or any other term that better fits your branding or enhances security. For example:
- Default author URL format:
https://your-domain.com/author/author-name/ - Customized author URL using the “contributor” slug:
https://your-domain.com/contributor/author-name/
Changing the author URL slug can serve both aesthetic and security purposes. Since /author/ is a well-known and predictable pattern used by WordPress, it becomes a target for bots and malicious users trying to identify your site’s CMS or enumerate usernames.
By customizing the author base, you make it slightly more difficult for automated tools to recognize your site as WordPress-based, which can help reduce the likelihood of targeted attacks. While not a standalone security solution, it’s a useful step as part of a broader hardening strategy.
This setting is especially helpful for sites with multiple contributors, where branding and URL structure consistency are important.
Prevent Access to Author Archives
By default, WordPress generates author archive pages using URLs like yoursite.com/?author=ID
. This behavior can be exploited by attackers who repeatedly request URLs such as ?author=1, ?author=2
. and so on, until they find valid user IDs—revealing active usernames on your site.
To enhance security, it’s best to completely disable access to these types of URLs, especially since author archive pages often serve little or no purpose on many sites.
Even if your permalink settings are not set to the default (i.e., ‘Plain’), WordPress will still redirect ?author=ID URLs to the corresponding author archive page, if it exists. Therefore, additional measures are necessary to block these redirects and prevent username enumeration.
Block default author url
After changing the default author URL slug (e.g., from /author/ to /contributor/), the original URL remains accessible by default. This means that both the old and new URLs will redirect to the same author archive page, which can be problematic from both a security and SEO standpoint.
To prevent this, it’s recommended to block access to the old author URL entirely and allow only the new custom slug. Leaving the default /author/ endpoint accessible can still expose your site to potential user enumeration attacks or signal that your site is running on WordPress, which may attract automated bots and malicious traffic.
By blocking the legacy URL, you ensure that visitors and search engines are directed only to the intended, branded author archive path. This also helps avoid duplicate content issues and improves overall site structure and security.