[wp-hackers] Author URLs expose usernames
rob at bigfish.co.uk
Thu Jul 19 08:40:56 UTC 2012
On Thursday, 19 July 2012 at 09:26, Otto wrote:
> But putting something into core to address brute force attacks won't
> work either, because this is fundamentally something that shouldn't
> happen at the WordPress level.
I disagree, for whatever it's worth; the vast majority of WordPress's audience, and certainly the ones who are most likely to choose brute-forceable passwords — the low-hanging fruit, I guess — aren't going to be aware of this as a problem. I don't see how it can hurt, even if there is or should be DOS protection at an ISP level, to implement some kind of login throttling with sensible defaults (that is, defaults that err on the side of false negatives).
Head of Digital
11 Chelsea Wharf
15 Lots Road
Office number: +44 (0)20 7795 0075
Direct number: +44 (0)20 7376 6799
More information about the wp-hackers