In Notion, when I paste a wordpress page or post link into a note, the “mention” feature appears. When you use this feature, it adds the author username of the page or post into the note. I want to turn this off. In fact, my only goal is to prevent wp usernames from leaking out.
I tried the code below, this code sends the endpoint “/wp-json/wp/v2/users/1” to 404, but Notion can still somehow find the username.
<?php
function disable_users_endpoint( $endpoints ) {
if ( isset( $endpoints['/wp/v2/users'] ) ) {
unset( $endpoints['/wp/v2/users'] );
}
if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
}
return $endpoints;
}
add_filter( 'rest_endpoints', 'disable_users_endpoint' );
?>
There are following things you can do :
1- Redirect Author Archives to Home page :
function disable_author_archives() {
if (is_author()) {
wp_redirect(home_url(), 301);
exit;
}
}
add_action('template_redirect', 'disable_author_archives');
2- WordPress may expose usernames in meta generator tags. To resolve this :
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'rest_output_link_wp_head');
remove_action('wp_head', 'wp_oembed_add_discovery_links');
3- Your code blocks wp-json/wp/v2/users/1, but usernames can still be exposed via other endpoints, such as:
/wp-json/wp/v2/posts/ (which may return author details).
To fix this completely hide user data from REST API:
function remove_user_endpoints( $data, $post, $request ) {
if (!is_admin()) {
unset($data->data['author']);
}
return $data;
}
add_filter('rest_prepare_post', 'remove_user_endpoints', 10, 3);
function disable_rest_user_query( $response, $user, $request ) {
return is_admin() ? $response : new WP_Error('rest_forbidden', __('Not allowed'), array('status' => 403));
}
add_filter('rest_prepare_user', 'disable_rest_user_query', 10, 3);