Removing all trace of member profiles

I am working on a site that deals with extremely sensitive and personal topics of personal health. As such, it is necessary that having a user account on the site is completely confidential with zero traces left on the public-facing site.

Aside from a few admin tools, all plugins used will be written by me (so no leakage via plugins should happen); likewise, I will be creating a custom theme (all other themes removed). I can therefore be relatively sure that content does not show user links.

What personal information is required (and some is needed) I plan to store encrypted.

I've blocked enumerable profile links - stuff like example.com/?author=42 just gets yeeted away via .htaccess. I'm assuming I can do the same for the fancy permalink version (I've not looked into that yet).

I've looked at adding a theme function to detect /author/* pages and doing some sort of if statement that looks at if the member is logged in and/or if the page type is a member profile. However, that does not stop the member/author profile pages from existing (something I'd like to just outright remove). I am worried that there may be other ways in which user names could leak.

I'm okay with the idea of building a firewall of .htaccess and code level redirects away from public profiles as well as redacting it in all theme parts. What worries me is that even if example.com/author/yourname cannot easily be reached and displays 404 - no such page it still exists and the URL itself leaks information.

I figure there must be a way to hook the permalink generation and create a garbage URL even if I do not know how to do so yet.

Most of my Google searches just lead to articles shilling plugins - not exactly helpful.

Which hooks and filters do I need to examine to remove any final traces of the members from the public site (while still having user accounts)?

Is there anything else I should know, try, or look at that I have not covered here? Anything else that can point me in the right direction would be greatly appreciated.

Edit: The comments issue I was worried about was relatively simple to secure after all (I'd missed something really obvious). I'm still looking for every last way use identity could leak so advice and pointers at hooks, filters, and other functions are still wanted.

Topic members users Wordpress

Category Web

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.