[wp-hackers] Re: WordPress can "leak" if a user name is valid
seth at thenextwave.biz
Mon Feb 18 22:37:18 GMT 2008
My Fantastico setup uses admin as default, with the option to change it
to whatever you want, within the constraints of the WP user name format.
Just my .02 cents.
Even if you know a user name, WordPress' track record for security is a
mixed bag anyway- most (all?) of the exploits don't need a user name or
a password to work.
Seth Chromick, Web Developer
The Next Wave <http://thenextwave.biz>
marketing • innovation
100 Bonner Street
Dayton, Ohio 45410 USA
vox (937) 228 4433
fax (937) 228 4111
A *S*ervice *D*isabled *V*eteran *O*wned *B*usiness (SDVOB), HUBzone
Take the seminars that will change your business! Websitetology
For less than $389 (including URL registration, hosting, and the seminar)
you can have a website that you can maintain-
and get on the first page of Google. Let us teach you how!
Want a better internet experience? - Get Firefox
> That's terribly inaccurate. most fantastico installations will force
> users to choose a different username at setup.
> On Feb 18, 3:01 pm, "Will Brown" <will.h.br... at gmail.com> wrote:
>> I have to say I agree with Otto. Every attacker already knows a username
>> they can bruteforce with: "admin". Every single Wordpress installation has
>> the admin user unless someone's gone in and changed the database, so an
>> attacker doesn't need to use this method to gain a hack-able account.
>> If we're really worried about the security of usernames and being able to
>> guess them, then we should do away with a default, unchangable administrator
>> username, instead of an indication that a username exists.
>> wp-hackers mailing list
>> wp-hack... at lists.automattic.comhttp://lists.automattic.com/mailman/listinfo/wp-hackers
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers