[wp-hackers] WordPress can "leak" if a username is valid

Will Brown will.h.brown at gmail.com
Mon Feb 18 21:01:35 GMT 2008

I have to say I agree with Otto. Every attacker already knows a username
they can bruteforce with: "admin". Every single Wordpress installation has
the admin user unless someone's gone in and changed the database, so an
attacker doesn't need to use this method to gain a hack-able account.

If we're really worried about the security of usernames and being able to
guess them, then we should do away with a default, unchangable administrator
username, instead of an indication that a username exists.


More information about the wp-hackers mailing list