[wp-hackers] Author URLs expose usernames

Chason Chaffin chason at gmail.com
Wed Jul 18 22:16:52 UTC 2012


While I haven't used Drupal extensively, my experience with helping people
troubleshoot it did not give me a lot of confidence in their caching
system. It may be simple and built in, but it does not scale well. And
since it is built so deep into the core, if you need to do something that
is not covered in its use cases you are out of luck.

If you need a caching plugin for WP that is simple, take a look at WP Super
Cache. This is the reason why leaving caching in plugins is great, it
allows for solutions that meet the diverse needs of the people that use
WordPress.

On Wed, Jul 18, 2012 at 3:14 PM, אלמוג בקו <almog.baku at gmail.com> wrote:

> Agree, but there is issues that the corr should offer, like caching. The
> third-party plugin make it complicated and confusing.
>
> Look at Drupal for example. The casing system is so deep into the core, so
> it so easy to configure!
> Drupal caching system is great example of something that the core do better
> than third-party system.
> Look at w3 total cache plugin..  Great plugin! But very complicated to
> configure, and makes a lot of problems.. Now take a quick look about drupal
> caching configure page.. And see the diffrences.
>
> ~ Almog
>
> בתאריך יום חמישי, 19 ביולי 2012, Chason Chaffin כתב:
>
> > I prefer to have as few things built into core as possible so that I can
> > either implement my own solutions, or choose the best of available
> > solutions.
> > You may like a basic disk based caching setup, but what if I have a more
> > complicated setup utilizing varnish and memcache? The caching built into
> > core would need to be able to handle this, but that would be a huge
> amount
> > of upkeep and maintenance to add to core.
> >
> > "Security" is similar. What you define as security may not be the same
> > thing as myself. Plenty of people may not want to have people blocked
> after
> > a certain number of login attempts, or may want to implement that feature
> > in a separate way. Personally, I prefer to use something like fail2ban,
> but
> > others may want to use .htaccess, etc etc. This is a lot to build into
> > core, when core is better kept to be SIMPLE and EXTENSIBLE instead of
> > having it do everything for everyone.
> >
> > On Wed, Jul 18, 2012 at 2:23 PM, אלמוג בקו <almog.baku at gmail.com
> <javascript:;>>
> > wrote:
> >
> > > So.. Otto, why is the login limitation not part of the core?
> > > Its seems so basic, and so important.
> > >
> > > The common wordpress user(website owner) doesnt even know the priority
> of
> > > issues like security and caching, so most of them didn't install the
> > > third-party plugins.
> > >
> > > Caching and security MUST be part of the core. From my point of view at
> > > least.
> > >
> > > ~ Almog.
> > >
> > >
> > > בתאריך יום רביעי, 18 ביולי 2012, Muhammad Ali כתב:
> > >
> > > > Short answer (must sleep), I used to use .htaccess and .htpasswd to
> > > secure
> > > > the wp-admin directory. If you so please. I would advise also using a
> > > > captcha login page plugin of some time.
> > > >
> > > >
> > > > On 18 July 2012 18:52, Otto <otto at ottodestruct.com<javascript:;><javascript:;>>
> > > wrote:
> > > >
> > > > > On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <tcbarrett at gmail.com
> <javascript:;>
> > > <javascript:;>>
> > > > wrote:
> > > > > > The main issue is exposing the username, passing an author id in
> > the
> > > > url
> > > > > is
> > > > > > just an easy way to find it.
> > > > >
> > > > > Exposing the username isn't the issue. The username isn't secret,
> nor
> > > > > should it need to be.
> > > > >
> > > > > The issue is allowing brute-force attacks to be carried out against
> > > > > your site, and having passwords that can be brute-forced to begin
> > > > > with.
> > > > >
> > > > > Consider the case where the username would be considered "secret".
> A
> > > > > brute-force attack would now have to work against both the username
> > > > > and the password. This is mathematically equivalent to knowing the
> > > > > username and just making the password roughly twice as long.
> > > > >
> > > > > However, it's not really equivalent, because while security
> > > > > professionals have been saying to make your passwords hard for
> > > > > decades, they have not been saying to make your usernames hard as
> > > > > well. Usernames are more likely to be all lowercase, for example.
> > It's
> > > > > easier to brute-force a username than to brute-force a password,
> > > > > basically. So hiding the username isn't adding a whole lot of extra
> > > > > security to this particular attack-vector. Making the password more
> > > > > complex or longer adds a ton more security.
> > > > >
> > > > > What's more, usernames themselves are generally *known* anyway.
> Most
> > > > > modern systems don't even have usernames, they simply use the email
> > > > > address as the username. The real security is in the password and
> the
> > > > > difficulty therein.
> > > > >
> > > > > If you want to stop this sort of thing, attack the real problems.
> > Stop
> > > > > the brute-force attacks from working at all by using a plugin like
> > > > > Limit Login Attempts
> > > > > (http://wordpress.org/extend/plugins/limit-login-attempts/) or
> > enforce
> > > > > a good-password policy to begin with. Hiding the username just
> > changes
> > > > > the attack vector, and stops it for a limited time, until they
> adapt
> > > > > to it. It doesn't actually solve the underlying problem.
> > > > >
> > > > > -Otto
> > > > > _______________________________________________
> > > > > wp-hackers mailing list
> > > > > wp-hackers at lists.automattic.com <javascript:;> <javascript:;>
> > > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > > >
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com <javascript:;> <javascript:;>
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com <javascript:;>
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com <javascript:;>
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list