[wp-trac] [WordPress Trac] #20235: the_author_posts_link() generates links with username instead of display name - this is insecure
WordPress Trac
wp-trac at lists.automattic.com
Tue Aug 28 00:15:50 UTC 2012
#20235: the_author_posts_link() generates links with username instead of display
name - this is insecure
-------------------------+----------------------
Reporter: asdfasd567 | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 3.3.1
Severity: normal | Resolution: wontfix
Keywords: |
-------------------------+----------------------
Comment (by dd32):
The Display Name field is used to display on the front end of the site,
ie. beside "This post was written by: Some Awesome Person". That can be
changed at any time. The username is used within the URL as it doesn't
change - !http://example.com/author/dd32 is always me, regardless of if my
Display name is 'Dion', 'dd32', or 'Awesome Blogger'.
It has been stated in previous tickets, "leaking" of the username is not
deemed a security issue by !WordPress.org, as it's a conscious decision to
use the username as the slug in the URL, If you don't like this default
behaviour, there are plugins in the repository which allow you to change
the url format to your preferred layout.
Instead of attempting to provide security by forcing people to guess your
username (Which btw, is incredibly easy in most cases, as people are not
that inventive) you should be focusing on improving passwords, and/or
considering 2 factor authentication (ie. Google Authenticator) if your
passwords are known to be insecure/weak.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20235#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list