Open kkmuffme opened 3 weeks ago
kkmuffme
commented
3 weeks ago This same issue also exists for the other archives.
For media it redirects to the actual image isntead of 404-ing (as it says there), however I think the more efficient (and preferred, or in that case possibly optional) way would be to just 404 it too.
josevarghese
commented
3 weeks ago Hi @kkmuffme
Thanks for using the Yoast SEO plugin and creating the bug report. We are discussing this issue internally and will update you with more details.
josevarghese
commented
1 day ago Hi @kkmuffme
We have discussed this internally and decided to create an internal issue to make further decisions about improving this. The newly created issue is now in the product enhancements board.
Please give us a description of what happened
Disabling archives (e.g. author archives /wp-admin/admin.php?page=wpseo_page_settings#/author-archives) will mean that the author archive page + all feeds of it will 301 redirect to home page instead of 404.
1) Server load: it unnecessarily creates server load even when served from page cache (since we need to serve 2 requests as we first need to serve the 301 and then the home page), and the author and feed pages are requested gazillions of times by various bots For WP installs that do not cache 301s (which are 99% of WP sites I'd guess), it's even worse, since it massively increases the server load since the disabled archives wouldn't be served from page cache (and WP pages without page even worse, since it's effectively serving 2 uncached requests)
2) Security: this feature accidentally creates a side-channel attack. e.g. you have an existing user John. Disabling the author archives will then mean: /author/John/ => redirected to home page, 301 /author/Robert/ => this user does not exist, 404
Now this by itself already could be abused for side-channel attacks, since it allows us to easily circumvent login restrictions. e.g. I have a list of usernames+passwords from a leak, but I cannot try all of them, since most pages rate limit invalid logins. I can now use this inconsistent behavior to validate the usernames and then only try the valid usernames for login.
Even worse, when using a security plugin that also disables this archives but serves them as 404 - usually Yoast would intercept it earlier and force the 301, which means that unsuspecting users accidentally make their page less secure by disabling the archives with Yoast in this case.
Additionally, this allows checking if a specific person has an account on a page (which I guess is one of the reason many sites disable those, since it creates unnecessary data privacy requirements)
3) you yourself think 301 instead of 404 is a bad idea: https://yoast.com/seo-anti-patterns-301-redirect-all-your-404s-to-your-homepage/
To Reproduce
Step-by-step reproduction instructions
Expected results
404
Actual results
301 to home page
Technical info
Used versions