You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've searched for any related issues and avoided creating a duplicate issue.
Please give us a description of what happened
Disabling archives (e.g. author archives /wp-admin/admin.php?page=wpseo_page_settings#/author-archives) will mean that the author archive page + all feeds of it will 301 redirect to home page instead of 404.
Server load: it unnecessarily creates server load even when served from page cache (since we need to serve 2 requests as we first need to serve the 301 and then the home page), and the author and feed pages are requested gazillions of times by various bots
For WP installs that do not cache 301s (which are 99% of WP sites I'd guess), it's even worse, since it massively increases the server load since the disabled archives wouldn't be served from page cache
(and WP pages without page even worse, since it's effectively serving 2 uncached requests)
Security: this feature accidentally creates a side-channel attack.
e.g. you have an existing user John. Disabling the author archives will then mean:
/author/John/ => redirected to home page, 301
/author/Robert/ => this user does not exist, 404
Now this by itself already could be abused for side-channel attacks, since it allows us to easily circumvent login restrictions. e.g. I have a list of usernames+passwords from a leak, but I cannot try all of them, since most pages rate limit invalid logins. I can now use this inconsistent behavior to validate the usernames and then only try the valid usernames for login.
Even worse, when using a security plugin that also disables this archives but serves them as 404 - usually Yoast would intercept it earlier and force the 301, which means that unsuspecting users accidentally make their page less secure by disabling the archives with Yoast in this case.
Additionally, this allows checking if a specific person has an account on a page (which I guess is one of the reason many sites disable those, since it creates unnecessary data privacy requirements)
This same issue also exists for the other archives.
For media it redirects to the actual image isntead of 404-ing (as it says there), however I think the more efficient (and preferred, or in that case possibly optional) way would be to just 404 it too.
We have discussed this internally and decided to create an internal issue to make further decisions about improving this. The newly created issue is now in the product enhancements board.
Please give us a description of what happened
Disabling archives (e.g. author archives /wp-admin/admin.php?page=wpseo_page_settings#/author-archives) will mean that the author archive page + all feeds of it will 301 redirect to home page instead of 404.
Server load: it unnecessarily creates server load even when served from page cache (since we need to serve 2 requests as we first need to serve the 301 and then the home page), and the author and feed pages are requested gazillions of times by various bots
For WP installs that do not cache 301s (which are 99% of WP sites I'd guess), it's even worse, since it massively increases the server load since the disabled archives wouldn't be served from page cache
(and WP pages without page even worse, since it's effectively serving 2 uncached requests)
Security: this feature accidentally creates a side-channel attack.
e.g. you have an existing user John. Disabling the author archives will then mean:
/author/John/ => redirected to home page, 301
/author/Robert/ => this user does not exist, 404
Now this by itself already could be abused for side-channel attacks, since it allows us to easily circumvent login restrictions. e.g. I have a list of usernames+passwords from a leak, but I cannot try all of them, since most pages rate limit invalid logins. I can now use this inconsistent behavior to validate the usernames and then only try the valid usernames for login.
Even worse, when using a security plugin that also disables this archives but serves them as 404 - usually Yoast would intercept it earlier and force the 301, which means that unsuspecting users accidentally make their page less secure by disabling the archives with Yoast in this case.
Additionally, this allows checking if a specific person has an account on a page (which I guess is one of the reason many sites disable those, since it creates unnecessary data privacy requirements)
To Reproduce
Step-by-step reproduction instructions
Expected results
404
Actual results
301 to home page
Technical info
Used versions
The text was updated successfully, but these errors were encountered: