[wp-hackers] Maybe a secure-hole

Jeremy Clarke jer-wphackers at simianuprising.com
Thu Oct 9 19:47:36 GMT 2008

Couple things:

1) Remember, for 99% of users the goal isn't to foil a trained,
motivated, creative cracker who is spending their days poking holes in
your setup. There is probably 1 of those crackers for every ten
thousand wordpress blogs out there. The goal is to foil the goddamn
bots that that 1 jerk writes. The bots are the ones that spam the
whole internet using wp security flaws and they are the risk for most
sites (though I think the script overlords give special care once
they've hacked into a site that has a particularly good Google ranking
for obvious reasons).

Those bots aren't as creative or skilled as the real hacker and they
are a *lot* easier to write if the hacker assumes the defaults and
attacks based on them. Changing your defaults isn't perfect but it
makes a difference, and its a way for people who want to add to their
security to do so based on their expertise without taking too much
time. It gives big, serious wp sites the opportunity to avoid the
stupid robots and hope that they are never faced with an actual human

2) The author url thing is actually annoying in a ton of ways because
whether it's hard-coded into the linking function or not, the
experience is that "login name == url text" and there's no visible way
to change in. On our site we've started giving all our users really
annoying login names with their full first and last name so that the
url will be /authors/jeremy-clarke/ rather than smart user names like
'jer' or 'jeremyc'.

So: it would be really nice if the author urls were
editeable/choosable or if they just used display_name instead of login
name for both potential security benefits and because it would be
aesthetically pleasing. It really is weird to click on a link with a
name on it and come to a url with the person's weird internet alias.

Why not just use a lowercase url-ized version of display name for
author urls? Isn't that completely better? It would be some work maybe
to make sure that the old links still work using canonical urls, but
that's what its there for. Really it should be doing that anyway,
guessing about different versions of the usernames in urls.

Last thing: Why is there no permalinks field for the author base? If
anyone is going to look into this its the perfect time to offer that
as an option (this has come up before, i forget if there was a reason
other than lack of motivation).

Jeremy Clarke | http://simianuprising.com
Code and Design | http://globalvoicesonline.org

More information about the wp-hackers mailing list