[wp-hackers] Author URLs expose usernames

Rob Miller rob at bigfish.co.uk
Thu Jul 19 08:40:56 UTC 2012

On Thursday, 19 July 2012 at 09:26, Otto wrote:

> But putting something into core to address brute force attacks won't
> work either, because this is fundamentally something that shouldn't
> happen at the WordPress level.

I disagree, for whatever it's worth; the vast majority of WordPress's audience, and certainly the ones who are most likely to choose brute-forceable passwords — the low-hanging fruit, I guess — aren't going to be aware of this as a problem. I don't see how it can hurt, even if there is or should be DOS protection at an ISP level, to implement some kind of login throttling with sensible defaults (that is, defaults that err on the side of false negatives).  


Rob Miller
Head of Digital

big fish®
11 Chelsea Wharf
15 Lots Road
SW10 0QJ
Office number: +44 (0)20 7795 0075
Direct number: +44 (0)20 7376 6799

www.bigfish.co.uk (http://www.bigfish.co.uk/)

More information about the wp-hackers mailing list