[wp-trac] [WordPress Trac] #45318: Security problem: Login Oracle

WordPress Trac noreply at wordpress.org
Sun Nov 11 10:28:29 UTC 2018


#45318: Security problem: Login Oracle
--------------------------+------------------------
 Reporter:  d0rkpress     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Security      |     Version:
 Severity:  normal        |  Resolution:  duplicate
 Keywords:                |     Focuses:
--------------------------+------------------------
Changes (by earnjam):

 * status:  reopened => closed
 * resolution:   => duplicate


Comment:

 Duplicate of #3708.

 There are easier ways to scrape and discover usernames than repeatedly
 submitting the login form.

 Even ''**if**'' we changed our position and began considering usernames to
 be private information, changing the messaging on the login form alone
 does nothing. It would require restructuring author archive permalinks,
 breaking changes to the REST API, educating theme developers to not use
 the username in CSS classes, etc.

 That's not to say the work required is the reason we aren't changing it,
 but just that you're oversimplifying the scope to which usernames are
 visible to non-authenticated visitors.

 But this has all been discussed many times across a bunch of tickets. If
 you have more to add to the conversation, you can continue the discussion
 on this ticket without reopening it.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/45318#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list