As an advanced publishing tool, WordPress typically defaults to displaying information about the author behind a given post or page on a WordPress site. But sometimes you want to build a website that has a more "singular" editorial identity, and that doesn't appear to be authored and managed by multiple people, even if it is. I see this regularly with corporate brands, political organizations, larger not-for-profits, and advocacy groups where the identity of a post or page's author could distract from the content being shared.

So how do you keep WordPress from revealing the author information - names, usernames and more - for the administrative users of your site? Here are a few tips, aimed at WordPress developers comfortable customizing their sites through changing the theme and plugin code.

First, a disclaimer. There's no way to be 100% certain that the author names on a public WordPress site will never be visible to others. After all, we're talking about a database and set of content that is connected to the Internet and generally designed for public consumption (though plenty of people build private WordPress sites too). If you are trying to protect user information in matters of personal safety or other substantial risk, you should make sure none of their real identifying info is stored in WordPress in the first place.

With that out of the way, there are a couple of key areas to consider:

  1. The WordPress theme you're using.
  2. The machine-readable feeds that WordPress generates.
  3. The WordPress API.
  4. The WordPress plugins you're using.

Hiding Author Names in the WordPress Theme

The first place to make sure you're not displaying author information is in the WordPress theme you're using on the site. Most WordPress themes include some kind of call to a function like the_author which displays the name of the author of a post or page. You could try to go through all of the files in the theme and remove calls to those functions, and then do the same for the WordPress core template files, and any parent themes involved. But this is not a good practice as it makes your theme harder to upgrade in the future, and could involve a lot of time and potentially disruptive changes.

Instead, you can use a WordPress filter in your functions.php file (using a child theme where appropriate) to change how author names are displayed throughout your site, except in the WordPress admin area where you presumably want to still see this information:

/**
 * Remove author display name
 * @param $display_name
 * @return string
 */
function my_remove_author_display_name( $display_name ) {
    if ( ! is_admin() ) {
	    return '';
    }
    return $display_name;
}
add_filter( 'the_author', 'my_remove_author_display_name' );

Again, for any place where the_author is called that is not in the admin context, this filter will return an empty string. Voila, no more author names on your site.

This filter should also handle removing author information from RSS feeds generated by WordPress (aka the dc:creator entity). You can confirm by visiting the https://yoursite.com/feed/.

Even with this in place, it's still worth searching through your theme files for other mentions of "author" or "username" and the like, to make sure your theme isn't doing something else to display author names.

Disabling Author Display in the WordPress API

The WordPress API includes a wide variety of API endpoints that contain details about the posts, pages and other parts of a WordPress site - including authors. While changes have been made to only have the /users/ endpoint display information about authors associated with public, published posts, you still may want to hide that information.

Thanks to the discussion in this GitHub issue, we know an easy way to do that:

/**
 * Adjust API endpoint availability to hide user info
 */
function my_api_endpoint_setup( $endpoints ) {
	if ( isset( $endpoints['/wp/v2/users'] ) ) {
		unset( $endpoints['/wp/v2/users'] );
	}
	if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
		unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
	}
	return $endpoints;
}
add_filter( 'rest_endpoints', 'my_api_endpoint_setup' );

This code, to be placed in your functions.php file, will completely disable the part of the API that returns user information. Other parts of the API will still reference things like an author's numeric ID in the WordPress database, but it won't be easy for someone to figure out that user's display name or username.

In case it's not obvious, disabling parts of the WordPress API should be done at your own risk with thorough testing. Increasingly, other WordPress tools, themes and plugins are coming to depend on it, and may not work properly without all endpoints available.

WordPress Plugins May Expose Author Info

Even if your theme and API setup are all set to hide user names and display names, you may be using plugins that display author information anyway.

For example, the Yoast SEO plugin will, by default, display author archives and include author information in the sitemaps it generates. If you turn off the author archive display, the author sitemap will also be removed.

The only real way to make sure your plugins aren't displaying author information somewhere unintended is to look through the plugin code in some detail. You could search for mentions of "author," "the_author," or "username" as a starting point.

In general, it's best to use as few plugins as possible, and to only use plugins where you fully understand everything that they're doing with your site content and functionality - especially if you're trying to keep certain parts of it like usernames away from public view.

I'll repeat my disclaimer from above: even with these tips and changes, there are other unexpected ways a site could make author information available, and you'll have to carefully research and monitor how each tool in use on your site might contribute to that.

Are there other helpful tips you've found for hiding a WordPress site's authors and users?

One thought on “Hiding authors and users in WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.