Issue addressed: Author feeds deliver full content

Recently, I had written a post about WordPress 2.2.1 always delivering full content with the author feeds, ignoring the publisher’s settings. I deliberately had not disclosed much information about the issue, not because it was security related, but due to the fact that it could make the content leechers’ job easier and cleaner. Now, that the WordPress developers have come up with a solution, I’ll post the details about the problem and the way to fix it.

Here is the ticket on the WordPress bug tracking system. (my initial bug report deserves a prize, don’t you think?)

But first, a few things about the author feed. It is well-known that WordPress can create a feed for almost any type of content. The author feed contains all the content that has been published by a specific author.

Starting with WordPress 2.2, all the feed generators have been moved into wp-includes, but the old files, like wp-rss2.php, still exist in WordPress’ root directory for backwards compatibility. It seems that when an author feed is requested by using those old files, the generator ignores any settings about delivering or not full content and, eventually, the feed contains the published content in its entirety.

For example, assuming that an author’s ID is 1, the following URL returns a feed with all content posted by that specific author:

The resulting XML file contains full content (you won’t notice any difference if you deliver full content in your feeds by default!).

At this point, I must clarify one thing. None of the WordPress template tags returns a feed link that points to any of the old feed generators. So, it is impossible, even for an old theme, which of course makes proper use of the template tags in order to print the feed links, to print links like the one above.

On the other hand, a content leecher could very easily guess an author’s ID and craft such a URL in order to retrieve the full published content in a clean form like it exists in the feed.

Anyhow, the fix is to delete all those old feed generators from the WordPress v2.2.1 root dir:

  • wp-atom.php
  • wp-commentsrss2.php
  • wp-rdf.php
  • wp-rss.php
  • wp-rss2.php

This will not affect your feeds.

Note, that, if you use permalinks, URLs like the one above will probably still work even after you delete those files, but this time they do not ignore the user settings regarding the amount of content that is delivered within the feeds. It is quite strange how they work properly this time, but, fortunately, this is how it is.

Generally, this issue is not an important one, but I think you should know about it, especially now that a fix is available.

Issue addressed: Author feeds deliver full content by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2007 - Some Rights Reserved

George Notaras avatar

About George Notaras

George Notaras is the editor of the G-Loaded Journal, a technical blog about Free and Open-Source Software. George, among other things, is an enthusiast self-taught GNU/Linux system administrator. He has created this web site to share the IT knowledge and experience he has gained over the years with other people. George primarily uses CentOS and Fedora. He has also developed some open-source software projects in his spare time.