Looks like anyone can easily spy on your WordPress drafts. Thankfully, there's a quick fix. And no, you don't even have to touch any of your WordPress PHP files.

First read about this in Ryan's WordPress Hacked: Anyone Can View Future/Draft Posts over at CyberNetNews.com, thanks to the Tweet of Tyler Reed.

In short, with a little patience, others can view your drafts or unpublished WordPress posts. If those folks are active bloggers, then they can publish a similar post ahead of you.

Ryan talks about quickly solving the problem by editing your wp-includes\query.php file.

If you're not comfortable editing that file and uploading the edited version back to your webserver, you can redirect

index.php/wp-admin/
to
/wp-admin/

(NOTE: You might need to make two redirects: one with a trailing slash, as in index.php/wp-admin/ and another without the trailing slash, as in index.php/wp-admin just to be on the safe side).

I tested the draft spying issue with respect to the WordPress RSS feed, but was not able to reproduce it even on my other sites that do not use the Feedburner redirect plugin.

So if you're the kind of WordPress blogger who likes to write drafts, protect your future posts from the prying eyes of the WordPress post hijackers.

Free Trial: How To Accept Online Payments For Your Downloadable Ebooks.

Secure Digital eCommerce Service - Get your Free Lifetime Basic Account today.

Find out how you can make this work for YOU. Fast and Simple.

"WordPress Draft Spy"
First Posted: December 29, 2007 | Filed in: Wordpress

Comments Off