[wp-hackers] WordPress can "leak" if a username is valid

[Will Brown]

I have to say I agree with Otto. Every attacker already knows a username
they can bruteforce with: "admin". Every single Wordpress installation has
the admin user unless someone's gone in and changed the database, so an
attacker doesn't need to use this method to gain a hack-able account.

If we're really worried about the security of usernames and being able to
guess them, then we should do away with a default, unchangable administrator
username, instead of an indication that a username exists.

Will