I noticed that popular Beaver Builder plugin displays Author username in all websites built with BB. It’s not displayed right on the front of the website, but in HTML, as part of Google Schema. This provides username of every person who published a post. It also applies to Custom Post Types. Knowing the username makes hackers a whole lot closer to breaking in.
Security plugins do not prevent exposing author username, as it’s part of Schema.
To view it in Google Chrome browser, go to either a Blog post page or Blog Archive page. Right-click on the page and Choose Inspect. This will open Chrome Developer Tools. Search HTML (Ctrl+F on PC or Cmd+F on a Mac) for Author. You’ll likely see a line:
<div itemscope=”” itemprop=”author” itemtype=”http://schema.org/Person”>
Expand that and it will list:
<meta itemprop=”url” content=”urlofthewebsite/author/username/”>
<meta itemprop=”name” content=”Public Display Name“>
Also, you can search for class fl-post-author, and you’ll find:
<span class=”fl-post-author”>By <a href=”urlofthewebsite/author/username/”><span>Public Display Name</span></a></span.>
That’s another location that exposes username of the person who published a post.
Some people might say you can change Author Name in WP User Settings. You can only change Nickname, which is Public Display Name, but you cannot change username.
Recently when WordPress released REST API in version 4.7, it also allowed username harvesting. Security plugins quickly fixed that, and WordPress team released a patch to fix that shortly after.
You should always have a Child Theme where you make all modifications. If you make changes to the main Beaver Builder Theme, or to Beaver Builder Plugin files, then with the first update, all your changes will be overwritten.
Below are instructions on how to fix it, if you’re using Beaver Builder Posts Module. Post module allows displaying either blog posts or custom post types in different layouts. For example, if you have Custom Post Type “Portfolio”. You can display portfolio pieces in a Post Grid Module on Home Page. Or if you want to display the latest blog posts on home page, you can display them in a Post Module.
Remove Author Username from HTML:
Follow the steps to customize posts module in your child theme.
- Create a new folder in your theme’s folder named fl-builder.
- Create a new folder within your theme’s fl-builder folder named modules.
- Copy the whole folder post-grid module you wish to override from wp-content/plugins/bb-plugin/modules to your theme’s fl-builder/modules folder.
- Now after you copied, open post-grid.php in your-theme/fl-builder/modules/post-grid directory.
- Comment out lines 224-228 (//Author Schema Meta). You can also remove Date Published meta, if you don’t want dates displayed in HTML. Then comment out lines 209 and 210.
- Now open file post-grid.php in your-theme/fl-builder/modules/post-grid/includes. Notice there is another post-grid.php inside the includes folder.
- Replace it with this code. I removed all instances of displaying fl-post-grid-author class.
Please note that even though you can customize the module’s code, the module’s folder name, main php file name and main class name must remain unchanged to be recognized by the builder.
- Now upload newly created and customized folder /fl-builder to your child theme directory via FTP to your live site.
- Refresh live page that contains Post Module and open Developer Tools (Right click, choose Inspect). Search for Author, and it won’t find anything.
Thank you very much for writing this blogpost , and the workaround.
The very same issue was worrying me and you helped me save a few hours or so fixing this.
Will report this to BB.
I’m glad it helped you. I spent a long time trying to figure it out and Carlos from Beaver Builder support helped me solve it. He said he’ll bring it up to their Development team. I hope they’ll fix it soon.
Unfortunately, this isn’t a security risk and the information on this article isn’t really useful. The reason I state this, is your username is also displayed in the slug for the author URL i.e. my-site.com/author/admin. Leaking your username isn’t considered a security risk by the lead WordPress developers, using a weak password is. You can learn more about this from the link below. 🙂
https://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-risk
I completely agree that weak password is a security risk. However, not everyone wants to announce their usernames to the world and by default, Beaver Builder Posts module displays it in Schema. It’s always advised to delete “Admin” username that ships with WordPress, as hackers target it the most, and all they have to do is guess a password. I think the best security will be achieved by having a strong password and not announcing your Author Username.