[wp-trac] [WordPress Trac] #23043: user_nicename security problem
WordPress Trac
noreply at wordpress.org
Sat Dec 22 03:47:44 UTC 2012
#23043: user_nicename security problem
-----------------------------+-------------------------
Reporter: zsero | Type: enhancement
Status: new | Priority: normal
Milestone: Awaiting Review | Component: Security
Version: | Severity: normal
Keywords: |
-----------------------------+-------------------------
user_nicename is a security problem. Wordpress is asking a user to set a
unique name other than 'admin', and there is absolutely no point doing
that, since
1. user_nicename is visible on every single post
2. user_nicename is set to username by default (unless someone goes and
tweaks the database by hand)
What it means is that '''WP is making the admin's login name public by
default'''. A very bad security practice, '''especially since WP fakes the
user that by choosing a unique user name he is safe'''!
Possible solution:
1. Just remove user_nicename at all. Use display_name for the links on the
posts. I'd strongly recommend this solution, since user_nicename is just
an old element with no link to the admin interface.
2. Make it possible to change user_nicename on the admin interface. Much
worse solution, since then the user would have to understand all the
following: 1. user_login 2. user_nicename 3. display_name 4. nickname -
what would be a nightmare.
I think removing user_nicename in future WP versions is the best solution.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/23043>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list