[wp-hackers] Author URLs expose usernames

אלמוג בקו almog.baku at gmail.com
Wed Jul 18 22:14:24 UTC 2012 

Agree, but there is issues that the corr should offer, like caching. The
third-party plugin make it complicated and confusing.

Look at Drupal for example. The casing system is so deep into the core, so
it so easy to configure!
Drupal caching system is great example of something that the core do better
than third-party system.
Look at w3 total cache plugin..  Great plugin! But very complicated to
configure, and makes a lot of problems.. Now take a quick look about drupal
caching configure page.. And see the diffrences.

~ Almog

בתאריך יום חמישי, 19 ביולי 2012, Chason Chaffin כתב:

> I prefer to have as few things built into core as possible so that I can
> either implement my own solutions, or choose the best of available
> solutions.
> You may like a basic disk based caching setup, but what if I have a more
> complicated setup utilizing varnish and memcache? The caching built into
> core would need to be able to handle this, but that would be a huge amount
> of upkeep and maintenance to add to core.
>
> "Security" is similar. What you define as security may not be the same
> thing as myself. Plenty of people may not want to have people blocked after
> a certain number of login attempts, or may want to implement that feature
> in a separate way. Personally, I prefer to use something like fail2ban, but
> others may want to use .htaccess, etc etc. This is a lot to build into
> core, when core is better kept to be SIMPLE and EXTENSIBLE instead of
> having it do everything for everyone.
>
> On Wed, Jul 18, 2012 at 2:23 PM, אלמוג בקו <almog.baku at gmail.com<javascript:;>>
> wrote:
>
> > So.. Otto, why is the login limitation not part of the core?
> > Its seems so basic, and so important.
> >
> > The common wordpress user(website owner) doesnt even know the priority of
> > issues like security and caching, so most of them didn't install the
> > third-party plugins.
> >
> > Caching and security MUST be part of the core. From my point of view at
> > least.
> >
> > ~ Almog.
> >
> >
> > בתאריך יום רביעי, 18 ביולי 2012, Muhammad Ali כתב:
> >
> > > Short answer (must sleep), I used to use .htaccess and .htpasswd to
> > secure
> > > the wp-admin directory. If you so please. I would advise also using a
> > > captcha login page plugin of some time.
> > >
> > >
> > > On 18 July 2012 18:52, Otto <otto at ottodestruct.com <javascript:;><javascript:;>>
> > wrote:
> > >
> > > > On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <tcbarrett at gmail.com<javascript:;>
> > <javascript:;>>
> > > wrote:
> > > > > The main issue is exposing the username, passing an author id in
> the
> > > url
> > > > is
> > > > > just an easy way to find it.
> > > >
> > > > Exposing the username isn't the issue. The username isn't secret, nor
> > > > should it need to be.
> > > >
> > > > The issue is allowing brute-force attacks to be carried out against
> > > > your site, and having passwords that can be brute-forced to begin
> > > > with.
> > > >
> > > > Consider the case where the username would be considered "secret". A
> > > > brute-force attack would now have to work against both the username
> > > > and the password. This is mathematically equivalent to knowing the
> > > > username and just making the password roughly twice as long.
> > > >
> > > > However, it's not really equivalent, because while security
> > > > professionals have been saying to make your passwords hard for
> > > > decades, they have not been saying to make your usernames hard as
> > > > well. Usernames are more likely to be all lowercase, for example.
> It's
> > > > easier to brute-force a username than to brute-force a password,
> > > > basically. So hiding the username isn't adding a whole lot of extra
> > > > security to this particular attack-vector. Making the password more
> > > > complex or longer adds a ton more security.
> > > >
> > > > What's more, usernames themselves are generally *known* anyway. Most
> > > > modern systems don't even have usernames, they simply use the email
> > > > address as the username. The real security is in the password and the
> > > > difficulty therein.
> > > >
> > > > If you want to stop this sort of thing, attack the real problems.
> Stop
> > > > the brute-force attacks from working at all by using a plugin like
> > > > Limit Login Attempts
> > > > (http://wordpress.org/extend/plugins/limit-login-attempts/) or
> enforce
> > > > a good-password policy to begin with. Hiding the username just
> changes
> > > > the attack vector, and stops it for a limited time, until they adapt
> > > > to it. It doesn't actually solve the underlying problem.
> > > >
> > > > -Otto
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com <javascript:;> <javascript:;>
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com <javascript:;> <javascript:;>
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com <javascript:;>
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com <javascript:;>
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list