[wp-hackers] WordPress can "leak" if a username is valid

James Davis james at freecharity.org.uk
Mon Feb 18 21:19:15 GMT 2008

Otto wrote:

> Both are wontfix's, and I agree with the reasoning. Knowing if the
> username is valid or not is not a security flaw. Security comes from
> the system actually being secure, not whether or not somebody can work
> out the usernames.
> I mean, okay, I understand it in the case of other utilities. Look at
> the old SSH documents, and yeah, a username leak makes it that much
> easier to run a brute force attack. But this is not SSH. This is a
> webpage with a login form. The same solutions should not instantly
> apply just because that's what people think of as 'secure'.
> What's the potential for harm here? What can somebody do knowing that
> the username is wrong or the password is wrong? Brute force attack? If
> we want to protect against brute force attacks, hiding the usernames
> isn't the right way to do it. The right way there would be to
> recognize rapid repeated failures to login from the same IP and block
> that IP for a period of time.

I'm not disagreeing with how these tickets should be closed but you've 
not illustrated why a brute force attack against WordPress is different 
to a brute force attack against SSH and why they shouldn't be afforded 
the same protective measures.

Almost all WordPress installations already disclose usernames because 
the user has instructed it to do so in post metadata or permalinks. 
There's nothing to be done about this. Brute force attacks against SSH 
rarely have such a glut of information readily available and so 
disclosure of valid names is a greater (relative?) risk.

(I'm not sure that blocking IPs is such a great idea - probably left to 
a plugin.)



More information about the wp-hackers mailing list