[wp-hackers] Author URLs expose usernames

אלמוג בקו almog.baku at gmail.com
Wed Jul 18 22:25:01 UTC 2012


Hey, I know the both of wp caching plugins.. And again- take a quick look
about drupal caching..
But I suggest totake this conversation to another theated, because it
became to discuss about caching istead of url stracture.

בתאריך יום חמישי, 19 ביולי 2012, Chason Chaffin כתב:

> While I haven't used Drupal extensively, my experience with helping people
> troubleshoot it did not give me a lot of confidence in their caching
> system. It may be simple and built in, but it does not scale well. And
> since it is built so deep into the core, if you need to do something that
> is not covered in its use cases you are out of luck.
>
> If you need a caching plugin for WP that is simple, take a look at WP Super
> Cache. This is the reason why leaving caching in plugins is great, it
> allows for solutions that meet the diverse needs of the people that use
> WordPress.
>
> On Wed, Jul 18, 2012 at 3:14 PM, אלמוג בקו <almog.baku at gmail.com<javascript:;>>
> wrote:
>
> > Agree, but there is issues that the corr should offer, like caching. The
> > third-party plugin make it complicated and confusing.
> >
> > Look at Drupal for example. The casing system is so deep into the core,
> so
> > it so easy to configure!
> > Drupal caching system is great example of something that the core do
> better
> > than third-party system.
> > Look at w3 total cache plugin..  Great plugin! But very complicated to
> > configure, and makes a lot of problems.. Now take a quick look about
> drupal
> > caching configure page.. And see the diffrences.
> >
> > ~ Almog
> >
> > בתאריך יום חמישי, 19 ביולי 2012, Chason Chaffin כתב:
> >
> > > I prefer to have as few things built into core as possible so that I
> can
> > > either implement my own solutions, or choose the best of available
> > > solutions.
> > > You may like a basic disk based caching setup, but what if I have a
> more
> > > complicated setup utilizing varnish and memcache? The caching built
> into
> > > core would need to be able to handle this, but that would be a huge
> > amount
> > > of upkeep and maintenance to add to core.
> > >
> > > "Security" is similar. What you define as security may not be the same
> > > thing as myself. Plenty of people may not want to have people blocked
> > after
> > > a certain number of login attempts, or may want to implement that
> feature
> > > in a separate way. Personally, I prefer to use something like fail2ban,
> > but
> > > others may want to use .htaccess, etc etc. This is a lot to build into
> > > core, when core is better kept to be SIMPLE and EXTENSIBLE instead of
> > > having it do everything for everyone.
> > >
> > > On Wed, Jul 18, 2012 at 2:23 PM, אלמוג בקו <almog.baku at gmail.com<javascript:;>
> > <javascript:;>>
> > > wrote:
> > >
> > > > So.. Otto, why is the login limitation not part of the core?
> > > > Its seems so basic, and so important.
> > > >
> > > > The common wordpress user(website owner) doesnt even know the
> priority
> > of
> > > > issues like security and caching, so most of them didn't install the
> > > > third-party plugins.
> > > >
> > > > Caching and security MUST be part of the core. From my point of view
> at
> > > > least.
> > > >
> > > > ~ Almog.
> > > >
> > > >
> > > > בתאריך יום רביעי, 18 ביולי 2012, Muhammad Ali כתב:
> > > >
> > > > > Short answer (must sleep), I used to use .htaccess and .htpasswd to
> > > > secure
> > > > > the wp-admin directory. If you so please. I would advise also
> using a
> > > > > captcha login page plugin of some time.
> > > > >
> > > > >
> > > > > On 18 July 2012 18:52, Otto <otto at ottodestruct.com <javascript:;>
> <javascript:;><javascript:;>>
> > > > wrote:
> > > > >
> > > > > > On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <
> tcbarrett at gmail.com <javascript:;>
> > <javascript:;>
> > > > <javascript:;>>
> > > > > wrote:
> > > > > > > The main issue is exposing the username, passing an author id
> in
> > > the
> > > > > url
> > > > > > is
> > > > > > > just an easy way to find it.
> > > > > >
> > > > > > Exposing the username isn't the issue. The username isn't secret,
> > nor
> > > > > > should it need to be.
> > > > > >
> > > > > > The issue is allowing brute-force attacks to be carried out
> against
> > > > > > your site, and having passwords that can be brute-forced to begin
> > > > > > with.
> > > > > >
> > > > > > Consider the case where the username would be considered
> "secret".
> > A
> > > > > > brute-force attack would now have to work against both the
> username
> > > > > > and the password. This is mathematically equivalent to knowing
> the
> > > > > > username and just making the password roughly twice as long.
> > > > > >
> > > > > > However, it's not really equivalent, because while security
> > > > > > professionals have been saying to make your passwords hard for
> > > > > > decades, they have not been saying to make your usernames hard as
> > > > > > well. Usernames are more likely to be all lowercase, for example.
> > > It's
> > > > > > easier to brute-force a username than to brute-force a password,
> > > > > > basically. So hiding the username isn't adding a whole lot of
> extra
> > > > > > security to this particular attack-vector. Making the password
> more
> > > > > > complex or longer adds a ton more security.
> > > > > >
> > > > > > What's more, usernames themselves are generally *known* anyway.
> > Most
> > > > > > modern systems don't even have usernames, they simply use the
> email
> > > > > > address as the username. The real security is in the password and
> > the
> > > > > > difficulty therein.
> > > > > >
> > > > > > If you want to stop this sort of thing, attack the real problems.
> > > Stop
> > > > > > the brute-force attacks from working at all by using a plugin
> like
> > > > > > Limit Login Attempts
> > > > > > (http://wordpress.org/extend/plugins/limit-login-attempts/) or
> > > enforce
> > > > > > a good-password policy to begin with. Hiding the username just
> > > changes
> > > > > > the attack vector, and stops it for a limited time, until they
> > adapt
> > > > > > to it. It doesn't actually solve the underlying problem.
> > > > > >
> > > > > > -Otto
> > > > > > _______________________________________________
> > > > > > wp-hackers mailing list
> > > > > > wp-hackers at lists.automattic.com <javascript:;> <javascript:;>
> <javascript:;>
> > > > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > > > >
> > > > > _______________________________________________
> > > > > wp-hackers mailing list
> > > > > wp-hackers at lists.automattic.com <javascript:;> <javascript:;>
> <javascript:;>
> > > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > > >
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com <javascript:;> <javascript:;>
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com <javascript:;> <javascript:;>
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com <javascript:;>
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com <javascript:;>
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list