[wp-trac] Re: [WordPress Trac] #3708: wp_login is too "friendly" -- Information disclosure

WordPress Trac wp-trac at lists.automattic.com
Mon Jan 29 16:31:03 GMT 2007

#3708: wp_login is too "friendly" -- Information disclosure
 Reporter:  charleshooper             |        Owner:  anonymous
     Type:  defect                    |       Status:  new      
 Priority:  low                       |    Milestone:  2.2      
Component:  Security                  |      Version:  2.2      
 Severity:  trivial                   |   Resolution:           
 Keywords:  security login has-patch  |  
Comment (by markjaquith):

 There are other ways to verify user names.  You can reverse engineer them
 from the author archive URLs (e.g. http://example.com/author/mark/).  I
 believe the consensus last time this came up was that it was trivial to
 figure out the user names anyway, and that it is much more user-friendly
 to tell them when they messed up their username, and not the password.
 Also, "admin" is created on install, and can't be changed using WordPress
 itself, so there's no hiding that.

Ticket URL: <http://trac.wordpress.org/ticket/3708#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list