[wp-trac] [WordPress Trac] #24550: Do not suggest a default username in wp-admin/install.php

WordPress Trac noreply at wordpress.org
Mon Jun 10 09:59:04 UTC 2013


#24550: Do not suggest a default username in wp-admin/install.php
-------------------------+-----------------------------
 Reporter:  lovingboth   |      Owner:
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  Security     |    Version:  trunk
 Severity:  normal       |   Keywords:  has-patch
-------------------------+-----------------------------
 By suggesting a user_name of 'admin' for the first user, install.php
 ensures that 'admin' is by far the most popular target for hack attempts
 on the almost certainly correct basis that it is probably by far the most
 popular user_name.

 It, and the lack of any password quality enforcement or limiting access to
 wp-login.php after multiple failed attempts, directly contributes to the
 large number of hacked WordPress sites. I doubt very much that any
 WordPress developer would suggest 'admin' if a new user asked them
 directly what user_name to have, but this has been done via install.php
 for far too long.

 Giving no default user_name will help protect new installations and force
 attackers to discover valid names.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/24550>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list