[wp-hackers] Author URLs expose usernames

Wed Jul 18 21:23:40 UTC 2012

So.. Otto, why is the login limitation not part of the core?
Its seems so basic, and so important.

The common wordpress user(website owner) doesnt even know the priority of
issues like security and caching, so most of them didn't install the
third-party plugins.

Caching and security MUST be part of the core. From my point of view at
least.

~ Almog.

בתאריך יום רביעי, 18 ביולי 2012, Muhammad Ali כתב:

> Short answer (must sleep), I used to use .htaccess and .htpasswd to secure
> the wp-admin directory. If you so please. I would advise also using a
> captcha login page plugin of some time.
>
>
> On 18 July 2012 18:52, Otto <otto at ottodestruct.com <javascript:;>> wrote:
>
> > On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <tcbarrett at gmail.com<javascript:;>>
> wrote:
> > > The main issue is exposing the username, passing an author id in the
> url
> > is
> > > just an easy way to find it.
> >
> > Exposing the username isn't the issue. The username isn't secret, nor
> > should it need to be.
> >
> > The issue is allowing brute-force attacks to be carried out against
> > your site, and having passwords that can be brute-forced to begin
> > with.
> >
> > Consider the case where the username would be considered "secret". A
> > brute-force attack would now have to work against both the username
> > and the password. This is mathematically equivalent to knowing the
> > username and just making the password roughly twice as long.
> >
> > However, it's not really equivalent, because while security
> > professionals have been saying to make your passwords hard for
> > decades, they have not been saying to make your usernames hard as
> > well. Usernames are more likely to be all lowercase, for example. It's
> > easier to brute-force a username than to brute-force a password,
> > basically. So hiding the username isn't adding a whole lot of extra
> > security to this particular attack-vector. Making the password more
> > complex or longer adds a ton more security.
> >
> > What's more, usernames themselves are generally *known* anyway. Most
> > modern systems don't even have usernames, they simply use the email
> > address as the username. The real security is in the password and the
> > difficulty therein.
> >
> > If you want to stop this sort of thing, attack the real problems. Stop
> > the brute-force attacks from working at all by using a plugin like
> > Limit Login Attempts
> > (http://wordpress.org/extend/plugins/limit-login-attempts/) or enforce
> > a good-password policy to begin with. Hiding the username just changes
> > the attack vector, and stops it for a limited time, until they adapt
> > to it. It doesn't actually solve the underlying problem.
> >
> > -Otto
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com <javascript:;>
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com <javascript:;>
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>