[wp-hackers] Possible security patch

scribu scribu at gmail.com
Sat Dec 5 16:28:41 UTC 2009


The correct solution would be to not use an admin user for posting. You can
use the User Switching plugin for making this easier.

Also, the login name can be harvested by looking at the author archive URLs.


On Sat, Dec 5, 2009 at 5:38 PM, Ian Stewart <ian at themeshaper.com> wrote:

> Just wondered if I could get your opinion on a possible security patch I
> might try and write. I know WordPress is no fan of security through
> obscurity but as it stands right now, if you're publishing posts as the
> admin user, your login name can be harvested from the body_class and author
> URLs. Would there be any interest in seeing it patched to a sanitized
> display_name or nickname? I can't imagine how many WordPress sites are live
> with super-weak passwords and the admin login name just hanging out there.
>
> --
> Ian Stewart
>
> http://ThemeShaper.com/
> http://twitter.com/iandstewart/
> http://ianstewart.stumbleupon.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
http://scribu.net


More information about the wp-hackers mailing list