Competitor is somehow accessing MetaData on a hidden WordPress site

Well we found one reason anyway – it looks like you can bring up a list of authors using ?author=1 query, which I hadn’t even known existed. Here’s an article that explains how and how to fix it:

https://www.wp-tweaks.com/hackers-can-find-your-wordpress-username/

Related Posts:

  1. No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
  2. How can I have more confidence that WP plugins aren’t getting and storing user data?
  3. WordPress – tracking options
  4. SSL Error: unable to get local issuer certificate
  5. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  6. What is the difference between a cer, pvk, and pfx file?
  7. Where does Internet Explorer store saved passwords?
  8. Infected Files – what to do [closed]
  9. Why does WordPress need my private ssh key to update?
  10. Why does WordPress have more than one salt?
  11. What is the ideal setup to address security concerns?
  12. is_email() VS sanitize_email()
  13. Can someone explain the use cases of esc_html?
  14. Close a wordpress blog – keep site as it is but prevent hacks
  15. Moving wp-config.php: Can this be done after site launch?
  16. Prevent setup-config.php page from appearing when host blocks database
  17. WordPress and Security
  18. Is security a problem in WordPress?
  19. Moving wordpress out of the public directory
  20. Is /wp-login.php?redirect_to[] exploitable?
  21. Logout via Subdomain, non-wordpress page on a different server?
  22. brute force attack even though it is limited by IP
  23. What should I do about hacked server?
  24. How can I tell who changed the password?
  25. WordPress website Security [closed]
  26. How do I authenticate WP users from a chrome extension?
  27. Can’t reset WordPress password
  28. Website is being flooded [closed]
  29. Will WordPress username displayed somewhere in the site?
  30. Is the “lost password” feature truly a vulnerability?
  31. Is it possible to reduce the minimum character length for passwords?
  32. Why was my blog post inserted lot’s of ad links by others?
  33. Should I Worry About SQL Injection When Using wp_insert_post?
  34. Auth cookie value security risk?
  35. Is there a way for a user to have an alias?
  36. Security – Shortcode injection attack
  37. Registration Plugin – Recaptcha integration
  38. Security threat with `home_url`?
  39. How to combat flooding admin-ajax.php?
  40. When is wp_set_password() called or how to capture a password
  41. Moving away from MD5: Where to declare the custom global $wp_hasher?
  42. Would it be dangerous to send all the wp_options to javascript file?
  43. Frequently getting attacks on admin-ajax.php, wp-cron.php, xmlrpc.php and wp-login.php
  44. Should I disable directory listing for wp-includes?
  45. How to get WordPress to send Password Reset Link Email instead of New Password?
  46. Safety side of storing emoji into database
  47. Verifying that I have fully removed a WordPress hack?
  48. Large Session Tokens
  49. How can I safely hide the fact that my website runs on WordPress? [closed]
  50. How to change permissions of WordPress and/or apache on macOS securely?
  51. How can I display nickname instead username in links
  52. My WordPress Websites are always under attack
  53. Is there value in using a wp_nonce for POST requests?
  54. Using an Encryption class in a WordPress Plugin
  55. How to hide easy access to my website temporarily?
  56. Can I Remove xmlrpc.php completely?
  57. Config file with no Keys..?
  58. How much should I worry about these messages?
  59. Security concerns with external links
  60. Uploading .webm format on WordPress results in security guidline breach and fail
  61. Any any insecure http:// URLs left in wordpress?
  62. White screen of death on admin pages after moving wp-config up two levels for security
  63. .htaccess password protection bypassed
  64. Session Cookie security questions
  65. Storing FTP details in wp-config.php
  66. Can a WordPress administrator see other users’ passwords?
  67. Why my plugins are updating automatically?
  68. Spam injected in w3 total cache page cache [closed]
  69. Privilege escalation bugs in 2.9?
  70. Content-Security-Policy blocks WordPress check boxes from being activated
  71. How to distinguish between a hack and an encoding error?
  72. Prevent editor from adding script or form
  73. How to change location of wp-config.php to folder or 2 folders up?
  74. Finding where a snippet of code is coming from
  75. wordpress admin security
  76. Remove hacked code – out of ideas! [closed]
  77. Why do people use “admin” username by default? [closed]
  78. WordPress Database Re-installed (Hacked)
  79. WordPress Security tools
  80. Robots.txt file not updating
  81. Security: Critical backend outside of wordpress
  82. Advice On How to Backup WordPress
  83. How can I stop other plugins from using my class’ sensitive methods?
  84. What are WordPress Current Security Issues in 2017?
  85. wp-config.php moved above root results in no plugin updates
  86. Password-protect feed and make it usable in major aggregators
  87. WordPress exploited theme is causing high io load on server
  88. how to find the way they hacked my WP site
  89. How to set custom validation for WordPress Passwords?
  90. How to stop repeated hack on header.php of custom theme? [closed]
  91. is this code properly secured
  92. nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
  93. Directory to store secure file
  94. How can I give someone server access to only duplicate and modify a site?
  95. WP-JSON: Cross Origin Resource Sharing Vulnerability?
  96. How can I implement ansible with per-host passwords, securely?
  97. Why should I firewall servers?
  98. Does drilling a hole into a hard drive suffice to make its data unrecoverable?
  99. Can you alter the default wordpress strong password requirements?
  100. how to sanitizing $_POST with the correct way?
tech