sitemap_index.xml opens sitemap-author.xml and exposes user name

#77616
  • Just noticed this on one of my sites. Following the sitemap link first goes to the page and shows the sitemap_index.xml file. Clicking on it to expand it then shows https://My-Domain.com/author-sitemap.xml. Clicking on that goes to https://My-Domain.com/author/my user login identity. This gives away my login name. In my user (admin) for wordpress my display details for myself are set to my name, not my user login identity. All my authored content on pages and posts displays as my name – not my login ID name. This is a serious issue. This may be since WordPress 5.5 or a configuration conflict, BUT I NEED TO RESOLVE IT.

    Also if I were to click on the sitemap that shows my author name, it redirects me to my site frontend showing content written by me. Each item shows my full name (not my masked user name) but the damage is already done. Anyone calling up my sitemap finds my hidden user name.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Hello,

    Thank you for contacting Rank Math and sorry for any inconvenience that might have been caused due to that.

    Do you wish to disable the author sitemap? If so you can head to Rank math > Titles & Meta > Authors and disable authors archives or set them to noindex.

    If you wish to still have the author sitemap but exclude some authors from being shown in the sitemap, you can change this in Rank math > Sitemap Settings > Authors bu]y checking user roles to exclude.
    img

    Looking forward to helping you. Thank you.

    ​​​​​​​

    Thanks for the prompt reply. I have now done this so the author sitemap is not created. My concern is that should i need to have the Author sitemap, it identifies the author by the internal user identity which is a bad thing for security.
    In WordPress user settings you can mask the user login identity and stipulate a name that appears instead of this. This is used anywhere you author content so as to not give away your login ID.
    Most recommendations regarding site security identify this as an important step to secure your site. Making hackers have to guess both your login ID and your password decreases their chances of being successful.
    There needs to be a way to ensure the internal users real id is not compromised by displaying it in the author sitemap. Maybe in the way it hooks into identifying content?

    Hi,

    Thanks for getting in touch with us.

    This is something WordPress does so it is how we do it in Rank Math as well.

    Allow me to explain.

    When you publish a new post, if your theme is setup to show the author name along with a link inside you posts, that link will lead to domain.com/author/username. Even if the display name is different, the URL will still show the username.

    So, it doesn’t matter if Rank Math shows the username in the sitemap or not because your WordPress is already doing that.

    If we change the author link in the sitemap, it needs to be changed in the core WP site as well. Otherwise, you will have domain.com/author/username in WP and domain.com/author/display-name. Even if it works, it will create duplicate author archives.

    Not to make comparisons but this is how other SEO plugins handle sitemaps as well.

    What we recommend and other security experts recommend (not just when using Rank Math) is that you should not use your admin username to publish content.

    Create a new username with the display name as user ID and use that to author posts.

    Hope that helps and please do not hesitate to let us know if you need our assistance with anything else.

    Thank you, I understand what you are saying. Creating another user to author content would be one way as you say. The issue i see is you would still have a user with a level of privileges that may be exposed to a hacker. I think best just not to have author in the sitemap at all and overcome the issue that way.

    Thanks for your follow up. I am enjoying RankMath as a very useful addition to my sites.
    Thanks again.

    Hello,

    Yes, I agree with you, it would be nice to hide the user. Another way would be to use some security plugin to enable the admin user only when logging using a certain IP so it would be a little bit more secure. About the thread, do you have any other questions? Or do you want us to close this thread? In any case, we will be here if you have any other questions or issues in the future.

    Looking forward to help you.

    Thats all thanks, you can close the thread. Just a thought that others may not be aware of this situation. Maybe you could add mention in your newsletters or setup tutorials so others can configure accordingly.

    Hello,

    We are super happy that this resolved your issue. If you have any other questions in the future, know that we are here to help you.

    If you don’t mind me asking, could you please leave us a review (if you haven’t already) on https://wordpress.org/support/plugin/seo-by-rank-math/reviews/#new-post about your overall experience with Rank Math? We appreciate your time and patience.

    If you do have another question in the future, please feel free to create a new forum topic, and it will be our pleasure to assist you again.

    Thank you.

Viewing 7 replies - 1 through 7 (of 7 total)

The ticket ‘sitemap_index.xml opens sitemap-author.xml and exposes user name’ is closed to new replies.