Switchboard DOCS
Docs
Get Started Get Lifetime Deal

Disable Author Archives

Every WordPress site has author archive pages at /author/username/. These pages list all posts by that author — and they also reveal the author’s login username. Attackers use this for reconnaissance: find the username, then brute force the password. If you don’t need author archives (many sites don’t), disable them entirely.

Use Cases

  • Prevent attackers from discovering admin usernames
  • Remove unnecessary pages on single-author blogs
  • Block the /?author=1 enumeration technique
  • Reduce SEO crawl of low-value archive pages
  • Simplify site structure by removing unused features

How It Works

This is a toggle module — enable it and author archives are gone. No configuration needed.

When enabled:

  • All /author/username/ URLs return 404 errors
  • Author links in themes point to # (nowhere)
  • The /?author=1 enumeration trick stops working
  • Author archive templates are never loaded

What Gets Disabled

LocationBeforeAfter
/author/admin/Shows admin’s posts404 Not Found
/author/johndoe/Shows johndoe’s posts404 Not Found
/?author=1Redirects to admin’s archive404 Not Found
Post author linksLink to author archiveLink to #

Username Enumeration Explained

Attackers use several techniques to discover WordPress usernames:

Technique 1: Direct URL

yoursite.com/author/admin/

If this loads, “admin” is a valid username.

Technique 2: Author Parameter

yoursite.com/?author=1

WordPress redirects to /author/[username]/, revealing the username.

Technique 3: REST API

yoursite.com/wp-json/wp/v2/users

Returns user data including usernames. (Use “Disable REST API” module for this.)

This module stops techniques 1 and 2. For technique 3, combine with the REST API module.

Verification

After enabling:

  1. Try visiting yoursite.com/author/admin/
  2. Should see your theme’s 404 page
  3. Try yoursite.com/?author=1
  4. Should also return 404 (not redirect)
  5. Check a blog post — author name link should go to #

Impact on Themes

Most themes display the author name on posts with a link to their archive. After enabling this module:

  • The link points to # (nowhere)
  • Clicking the author name does nothing
  • The author name itself is still visible

If you want to hide author names entirely, that’s a theme customization — edit your theme’s templates or use CSS to hide the author display.

Single-Author Blogs

If you’re the only author on your site, author archives add no value:

  • The author archive is just a duplicate of your main blog
  • It exposes your username unnecessarily
  • Search engines may see it as duplicate content
  • There’s no reason for visitors to filter by author

This module is perfect for single-author blogs.

Multi-Author Sites

On multi-author sites, author archives can be useful for:

  • Finding all posts by a specific writer
  • Author profile/bio pages (if theme supports it)
  • SEO for author-brand building

Consider the tradeoff: Is the feature value worth the security exposure? You can use “Obfuscate Author Slugs” instead if you want archives but not username exposure.

FAQ

Will this affect SEO?If author archives were indexed and receiving traffic, removing them will affect that traffic. For most sites, author archives get minimal traffic. Consider 301 redirects if you have significant author archive SEO value (requires custom code).
What about the author’s display name on posts?The display name shown on posts is unaffected. Only the archive pages and links to them are disabled. To hide author names on posts, edit your theme.
Can I keep archives for some authors but not others?Not with this module — it’s all or nothing. For selective author archives, you’d need custom code.
What’s the difference between this and Obfuscate Author Slugs?
  • Disable Author Archives: Removes author pages entirely (404)
  • Obfuscate Author Slugs: Keeps author pages but hides usernames in URLs

Choose based on whether you want author archives to exist at all.

Will bots still try to access author pages?Yes, bots will still try. They’ll just get 404 responses instead of useful information. This is the desired behavior — it frustrates enumeration attempts without giving attackers any data.
Does this block REST API user enumeration?No. The REST API is a separate endpoint. Use the “Disable REST API” module to restrict that attack vector.

For comprehensive username protection, consider using multiple modules together:

ModuleWhat It Does
Disable Author ArchivesRemoves author pages entirely
Obfuscate Author SlugsHides usernames in author URLs
Disable REST APIBlocks API-based user enumeration
Hide WP VersionRemoves version info attackers use

Quick test: Before enabling, check your analytics to see if anyone visits your author archives. If traffic is near zero, you won’t miss them.

This module disables the redirect_canonical filter to prevent WordPress from redirecting author requests. This is intentional and necessary for the 404 to work properly.

PRO

Get access to all 147 modules with a single license

Upgrade to Pro
Prev
Custom Field Groups
Next
Custom Admin CSS