Security Issue in WordPress 5.5 with the XML Sitemap Feature
WordPress 5.5 was released to the public on August 11, 2020. A new feature was introduced that adds basic, extensible XML sitemaps functionality into WordPress core. Sounds good, right? Right?
The problem that I see with this new functionality is that it is ON by default. It’s not even something that you can opt-in or opt-out.
If you update to WordPress 5.5+ then a new /wp-sitemap.xml is automatically created in the root of your website.
Yes, there are some technical limitations. Web hosts will be required to install the SimpleXML PHP extension, but many hosts already have it installed.
There is an easy way to disable this feature, but it requires actions on the part of the website administrator. But obviously not all website owners follow release notes closely to be aware of this.
So what’s the problem?
First of all, there is no page in the back-end that would allow you to enable or disable this sitemap, or at least exclude parts of the website from it.
The first problem is that this new sitemap contains a list of accounts on the website.
Remember when a popular safety recommendation was to create an admin account with an username other than “admin”? Now this doesn’t matter that much.
This feature automatically exposes a complete list of accounts with published posts or pages. So instead of trying to guess existing accounts on a website, hackers and bots can just see a list of accounts.
To be fair, this is not something new. Plugins like Yoast SEO already have this feature, but at least you have to manually enable their Sitemaps feature. And you have the option of disabling author sitemaps.
The second problem is that this feature might cause SEO losses instead of benefits. I’ve had many clients that thought that search engines see only the content that is added to a menu. Many think that if you don’t link to a page from the menu, nobody will see that page.
Because of this you can often find blank pages or pages with sensitive content on the front-end, even if they are visible only via sitemaps or search engine indexes.
Considering that WordPress powers over a third of websites, now there’s a lot of websites that are more exposed to attacks than before the release of 5.5.
How to fix it?
As a user, the quickest way to handle this issue is by going to Appearance > Theme Editor > functions.php and adding this line of code somewhere in the file:
<?php add_filter( 'wp_sitemaps_enabled', '__return_false' ); ?>
Many popular plugins already do this. For example Yoast SEO and Jetpack both disable this feature for you.
Isn’t it a little weird that other plugins have to disable this feature by default, without even asking? This might be a good sign that a feature is not implemented correctly.
The road to hell is paved with good intentions
Even though it’s not my place to judge or argue about wasted energy and resources, I do agree with the fact that other plugins will simply have to disable this feature. This is a weird outcome of whatever amount of work and effort that was put into this functionality.
I hope that this feature will be adjusted one way or another in future WordPress updates, maybe in 5.5.2 or 5.5.3.