[wp-hackers] Author URLs expose usernames

Chason Chaffin chason at gmail.com
Wed Jul 18 21:57:56 UTC 2012


I prefer to have as few things built into core as possible so that I can
either implement my own solutions, or choose the best of available
solutions.

You may like a basic disk based caching setup, but what if I have a more
complicated setup utilizing varnish and memcache? The caching built into
core would need to be able to handle this, but that would be a huge amount
of upkeep and maintenance to add to core.

"Security" is similar. What you define as security may not be the same
thing as myself. Plenty of people may not want to have people blocked after
a certain number of login attempts, or may want to implement that feature
in a separate way. Personally, I prefer to use something like fail2ban, but
others may want to use .htaccess, etc etc. This is a lot to build into
core, when core is better kept to be SIMPLE and EXTENSIBLE instead of
having it do everything for everyone.

On Wed, Jul 18, 2012 at 2:23 PM, אלמוג בקו <almog.baku at gmail.com> wrote:

> So.. Otto, why is the login limitation not part of the core?
> Its seems so basic, and so important.
>
> The common wordpress user(website owner) doesnt even know the priority of
> issues like security and caching, so most of them didn't install the
> third-party plugins.
>
> Caching and security MUST be part of the core. From my point of view at
> least.
>
> ~ Almog.
>
>
> בתאריך יום רביעי, 18 ביולי 2012, Muhammad Ali כתב:
>
> > Short answer (must sleep), I used to use .htaccess and .htpasswd to
> secure
> > the wp-admin directory. If you so please. I would advise also using a
> > captcha login page plugin of some time.
> >
> >
> > On 18 July 2012 18:52, Otto <otto at ottodestruct.com <javascript:;>>
> wrote:
> >
> > > On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <tcbarrett at gmail.com
> <javascript:;>>
> > wrote:
> > > > The main issue is exposing the username, passing an author id in the
> > url
> > > is
> > > > just an easy way to find it.
> > >
> > > Exposing the username isn't the issue. The username isn't secret, nor
> > > should it need to be.
> > >
> > > The issue is allowing brute-force attacks to be carried out against
> > > your site, and having passwords that can be brute-forced to begin
> > > with.
> > >
> > > Consider the case where the username would be considered "secret". A
> > > brute-force attack would now have to work against both the username
> > > and the password. This is mathematically equivalent to knowing the
> > > username and just making the password roughly twice as long.
> > >
> > > However, it's not really equivalent, because while security
> > > professionals have been saying to make your passwords hard for
> > > decades, they have not been saying to make your usernames hard as
> > > well. Usernames are more likely to be all lowercase, for example. It's
> > > easier to brute-force a username than to brute-force a password,
> > > basically. So hiding the username isn't adding a whole lot of extra
> > > security to this particular attack-vector. Making the password more
> > > complex or longer adds a ton more security.
> > >
> > > What's more, usernames themselves are generally *known* anyway. Most
> > > modern systems don't even have usernames, they simply use the email
> > > address as the username. The real security is in the password and the
> > > difficulty therein.
> > >
> > > If you want to stop this sort of thing, attack the real problems. Stop
> > > the brute-force attacks from working at all by using a plugin like
> > > Limit Login Attempts
> > > (http://wordpress.org/extend/plugins/limit-login-attempts/) or enforce
> > > a good-password policy to begin with. Hiding the username just changes
> > > the attack vector, and stops it for a limited time, until they adapt
> > > to it. It doesn't actually solve the underlying problem.
> > >
> > > -Otto
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com <javascript:;>
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com <javascript:;>
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list