[wp-trac] [WordPress Trac] #63441: Exposed Users
WordPress Trac
noreply at wordpress.org
Tue May 13 16:13:55 UTC 2025
#63441: Exposed Users
--------------------------+----------------------
Reporter: strahan | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version:
Severity: normal | Resolution: invalid
Keywords: | Focuses:
--------------------------+----------------------
Changes (by jorbin):
* status: new => closed
* resolution: => invalid
* severity: critical => normal
* milestone: Awaiting Review =>
Comment:
Hi @strahan, welcome to WordPress Core Trac.
The [https://make.wordpress.org/core/handbook/testing/reporting-security-
vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a
-security-issue WordPress project doesn’t consider usernames or user ids
to be private or secure information]. A username is part of your online
identity. It is meant to identify, not verify, who you are saying you are.
Verification is the job of the password.
Generally speaking, people do not consider usernames to be secret, often
sharing them openly. Additionally, many major online establishments — such
as Google and Facebook — have done away with usernames in favor of email
addresses, which are shared around constantly and freely. WordPress has
also moved this way, allowing users to log in with an email address or
username since version 4.5.
Instead of attempting to hide a public identifier, WordPress attempts to
encourage users to choose strong passwords instead, through both user
interface as well as education.
Note that WordPress is not the only open source project to believe this.
[https://www.drupal.org/node/1004778 Drupal has similar arguments for the
same thing].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/63441#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list