[wp-hackers] Author URLs expose usernames

Simon Prosser pross at pross.org.uk
Wed Jul 18 22:09:46 UTC 2012


Isn't it just easier to just not have admin users as public authors?
Thats the whole point right?

On 18 July 2012 22:57, Chason Chaffin <chason at gmail.com> wrote:
> I prefer to have as few things built into core as possible so that I can
> either implement my own solutions, or choose the best of available
> solutions.
>
> You may like a basic disk based caching setup, but what if I have a more
> complicated setup utilizing varnish and memcache? The caching built into
> core would need to be able to handle this, but that would be a huge amount
> of upkeep and maintenance to add to core.
>
> "Security" is similar. What you define as security may not be the same
> thing as myself. Plenty of people may not want to have people blocked after
> a certain number of login attempts, or may want to implement that feature
> in a separate way. Personally, I prefer to use something like fail2ban, but
> others may want to use .htaccess, etc etc. This is a lot to build into
> core, when core is better kept to be SIMPLE and EXTENSIBLE instead of
> having it do everything for everyone.
>
> On Wed, Jul 18, 2012 at 2:23 PM, אלמוג בקו <almog.baku at gmail.com> wrote:
>
>> So.. Otto, why is the login limitation not part of the core?
>> Its seems so basic, and so important.
>>
>> The common wordpress user(website owner) doesnt even know the priority of
>> issues like security and caching, so most of them didn't install the
>> third-party plugins.
>>
>> Caching and security MUST be part of the core. From my point of view at
>> least.
>>
>> ~ Almog.
>>
>>
>> בתאריך יום רביעי, 18 ביולי 2012, Muhammad Ali כתב:
>>
>> > Short answer (must sleep), I used to use .htaccess and .htpasswd to
>> secure
>> > the wp-admin directory. If you so please. I would advise also using a
>> > captcha login page plugin of some time.
>> >
>> >
>> > On 18 July 2012 18:52, Otto <otto at ottodestruct.com <javascript:;>>
>> wrote:
>> >
>> > > On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <tcbarrett at gmail.com
>> <javascript:;>>
>> > wrote:
>> > > > The main issue is exposing the username, passing an author id in the
>> > url
>> > > is
>> > > > just an easy way to find it.
>> > >
>> > > Exposing the username isn't the issue. The username isn't secret, nor
>> > > should it need to be.
>> > >
>> > > The issue is allowing brute-force attacks to be carried out against
>> > > your site, and having passwords that can be brute-forced to begin
>> > > with.
>> > >
>> > > Consider the case where the username would be considered "secret". A
>> > > brute-force attack would now have to work against both the username
>> > > and the password. This is mathematically equivalent to knowing the
>> > > username and just making the password roughly twice as long.
>> > >
>> > > However, it's not really equivalent, because while security
>> > > professionals have been saying to make your passwords hard for
>> > > decades, they have not been saying to make your usernames hard as
>> > > well. Usernames are more likely to be all lowercase, for example. It's
>> > > easier to brute-force a username than to brute-force a password,
>> > > basically. So hiding the username isn't adding a whole lot of extra
>> > > security to this particular attack-vector. Making the password more
>> > > complex or longer adds a ton more security.
>> > >
>> > > What's more, usernames themselves are generally *known* anyway. Most
>> > > modern systems don't even have usernames, they simply use the email
>> > > address as the username. The real security is in the password and the
>> > > difficulty therein.
>> > >
>> > > If you want to stop this sort of thing, attack the real problems. Stop
>> > > the brute-force attacks from working at all by using a plugin like
>> > > Limit Login Attempts
>> > > (http://wordpress.org/extend/plugins/limit-login-attempts/) or enforce
>> > > a good-password policy to begin with. Hiding the username just changes
>> > > the attack vector, and stops it for a limited time, until they adapt
>> > > to it. It doesn't actually solve the underlying problem.
>> > >
>> > > -Otto
>> > > _______________________________________________
>> > > wp-hackers mailing list
>> > > wp-hackers at lists.automattic.com <javascript:;>
>> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
>> > >
>> > _______________________________________________
>> > wp-hackers mailing list
>> > wp-hackers at lists.automattic.com <javascript:;>
>> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>> >
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



-- 
My Blog: http://pross.org.uk/
Plugins : http://pross.org.uk/plugins/
Themes: http://wordpress.org/extend/themes/profile/pross


More information about the wp-hackers mailing list