[wp-trac] [WordPress Trac] #23043: user_nicename security problem

WordPress Trac noreply at wordpress.org
Sat Dec 22 03:47:44 UTC 2012


#23043: user_nicename security problem
-----------------------------+-------------------------
 Reporter:  zsero            |       Type:  enhancement
   Status:  new              |   Priority:  normal
Milestone:  Awaiting Review  |  Component:  Security
  Version:                   |   Severity:  normal
 Keywords:                   |
-----------------------------+-------------------------
 user_nicename is a security problem. Wordpress is asking a user to set a
 unique name other than 'admin', and there is absolutely no point doing
 that, since
 1. user_nicename is visible on every single post
 2. user_nicename is set to username by default (unless someone goes and
 tweaks the database by hand)

 What it means is that '''WP is making the admin's login name public by
 default'''. A very bad security practice, '''especially since WP fakes the
 user that by choosing a unique user name he is safe'''!

 Possible solution:
 1. Just remove user_nicename at all. Use display_name for the links on the
 posts. I'd strongly recommend this solution, since user_nicename is just
 an old element with no link to the admin interface.

 2. Make it possible to change user_nicename on the admin interface. Much
 worse solution, since then the user would have to understand all the
 following: 1. user_login 2. user_nicename 3. display_name 4. nickname -
 what would be a nightmare.

 I think removing user_nicename in future WP versions is the best solution.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/23043>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list