[wp-hackers] Possible security patch

Otto otto at ottodestruct.com
Mon Dec 7 17:09:38 UTC 2009


Ugh. Lots of solutions to what strikes me as a simple problem.

Actual solution: Let people change their username.

Seems simple enough to me. There's perfectly valid reasons to want a
different username, and it doesn't necessarily have anything to do
with security. I prefer to use "otto" instead of "admin". That's not a
security feature, that's just me wanting to use a different name.

There's no sane reason I can see for making the username unmodifiable.
It's easy enough to allow it to be altered, and a simple check to see
if the username is already taken is not difficult to add.

So forget all this talk. Just let people change the username. It's the
simplest solution by far. Yes, it doesn't address every "security"
concern, but it will eliminate the issue from coming up time and
again, and frankly there's no good reason I can find to not do it.

-Otto


More information about the wp-hackers mailing list