[wp-hackers] Author URLs expose usernames

Harry Metcalfe harry at dxw.com
Thu Jul 19 12:21:01 UTC 2012

On 19/07/12 09:26, Otto wrote:
> But putting something into core to address brute force attacks won't
> work either, because this is fundamentally something that shouldn't
> happen at the WordPress level.

Neither is preventing directory listings, yet there are numerous blank 
index.php files in WP for exactly that purpose.

In any case, I don't think this is right.

Mostly because the majority of the WordPress installations are not very 
well configured. In fact, in my experience, the majority of WordPress 
installations are extremely poorly configured. And many users would be 
completely baffled by the suggestion that they should configure Apache 
or PHP or an IDS to solve these problems. You've already acknowledge 
that limit-login-attempts is a good solution to the problem, and I agree.

Secondly, you're ignoring defence-in-depth. I certainly think that it 
would be sensible to block brute-force attacks at the lowest level 
possible (though they are manifestly not DoS attacks). But that doesn't 
mean it's not also sensible to block it at the WordPress level. Less 
important, but sensible.

As an example, we limit the ability for people to make SSH connections 
to our machines. We use iptables to do that. And in case iptables ever 
stopped working for some reason (most likely, by misconfiguration or 
mistake) it's also blocked in the sshd config (or perhaps by hosts.deny, 
I forget).

Anyway. Just because a problem *can* be solved by configuration, doesn't 
mean the WordPress core is excused from making any attempt to do the same.

More information about the wp-hackers mailing list