[wp-hackers] Author URLs expose usernames
harry at dxw.com
Thu Jul 19 12:21:01 UTC 2012
On 19/07/12 09:26, Otto wrote:
> But putting something into core to address brute force attacks won't
> work either, because this is fundamentally something that shouldn't
> happen at the WordPress level.
Neither is preventing directory listings, yet there are numerous blank
index.php files in WP for exactly that purpose.
In any case, I don't think this is right.
Mostly because the majority of the WordPress installations are not very
well configured. In fact, in my experience, the majority of WordPress
installations are extremely poorly configured. And many users would be
completely baffled by the suggestion that they should configure Apache
or PHP or an IDS to solve these problems. You've already acknowledge
that limit-login-attempts is a good solution to the problem, and I agree.
Secondly, you're ignoring defence-in-depth. I certainly think that it
would be sensible to block brute-force attacks at the lowest level
possible (though they are manifestly not DoS attacks). But that doesn't
mean it's not also sensible to block it at the WordPress level. Less
important, but sensible.
As an example, we limit the ability for people to make SSH connections
to our machines. We use iptables to do that. And in case iptables ever
stopped working for some reason (most likely, by misconfiguration or
mistake) it's also blocked in the sshd config (or perhaps by hosts.deny,
Anyway. Just because a problem *can* be solved by configuration, doesn't
mean the WordPress core is excused from making any attempt to do the same.
More information about the wp-hackers