[wp-hackers] Author URLs expose usernames

Otto otto at ottodestruct.com
Thu Jul 19 08:26:46 UTC 2012

On Thu, Jul 19, 2012 at 2:00 AM, Tom Barrett <tcbarrett at gmail.com> wrote:
> Is it not worth pursuing a non perfect solution that does add some security
> before something better comes along?

No. Fake/pretend security is worse than no security at all, because it
tricks you into thinking that it is somehow more secure when it isn't.
Example: Look at all the places on the internet that recommend turning
off SSID-broadcast on your WiFi router, for security reasons. The fact
that turning off SSID-broadcast literally adds *zero* extra security
doesn't seem to matter, people think "hidden" is somehow more secure.

> You don't think the ease with which
> anyone can, by default, find out all the usernames makes it easier to hack
> a WordPress installation? It is not a risk at all? Or it is not a
> significant enough risk?

I don't think it's a risk at all, nor would going to extreme efforts
to hide usernames make any real difference. And such efforts would be
*extreme*, the username was designed from the very beginning to be
public information, it's available and used in possibly dozens of

My username on my own sites is "otto". The whole world knowing this
doesn't make me less secure, because you don't know my password, and
there's no chance of you brute-forcing my highly randomized password
either. The problem you should be addressing is the brute-force
attacks, not the fact that people can figure out your username. Public
usernames are not the real problem.

But putting something into core to address brute force attacks won't
work either, because this is fundamentally something that shouldn't
happen at the WordPress level. If somebody is running rapid fire
requests against your site, then you should be recognizing and
blocking those requests before PHP ever fires. This is a hosting-level
problem, your host should provide you tools to recognize and/or block
this, or you should use tools designed to do this yourself.. A brute
force attack on the login page, or any other form on the site,
basically is a DOS attack. Consider it from that angle. Your users
using crappy passwords is a user-education problem. Consider it from
that angle as well. You can't really apply technological solutions to
what are fundamentally human problems.

IMO, of course.


More information about the wp-hackers mailing list