[wp-hackers] Possible security patch

Mark Jaquith markjaquith at gmail.com
Mon Dec 7 08:04:44 UTC 2009


On Sat, Dec 5, 2009 at 10:38 AM, Ian Stewart <ian at themeshaper.com> wrote:
> Just wondered if I could get your opinion on a possible security patch I
> might try and write. I know WordPress is no fan of security through
> obscurity but as it stands right now, if you're publishing posts as the
> admin user, your login name can be harvested from the body_class and author
> URLs. Would there be any interest in seeing it patched to a sanitized
> display_name or nickname? I can't imagine how many WordPress sites are live
> with super-weak passwords and the admin login name just hanging out there.

You shouldn't be posting as the admin user. Make an Editor level
account for your posting. Limit your potential exposure in the event
of a password disclosure or brute-forcing.

There are many ways in which we disclose or hint at user names:

(1) The login form tells you when a password is wrong, as opposed to a
user name being wrong.
(2) Classes
(3) Author URLs

The login form thing is tremendously helpful to users. Raise your hand
if you've ever gotten a message like "that user/pass combo is invalid"
and had NO IDEA whether it was the user or the password that was
incorrect? I do that on a weekly basis.

The author URLs are user-friendly. How are you going to decouple that
from the login name without changing the user name or making the
author URLs less clean and less friendly? I don't think you can.
/author/mark-52300234/ ? Yuck.

I think I have a better method of tackling this issue: We now prompt
the user in the wp-admin when they are using the default install
password or a reset password. What about if we do a similar prompt if
"admin" is the only user on the blog, suggesting that they create a
second user name and use THAT for posting?

-- 
Mark Jaquith
• http://markjaquith.com/http://coveredwebservices.com/


More information about the wp-hackers mailing list