[wp-trac] [WordPress Trac] #24078: Remove 'admin' as default username in install

WordPress Trac noreply at wordpress.org
Sun Apr 14 08:44:27 UTC 2013 

#24078: Remove 'admin' as default username in install
-----------------------------+------------------------------
 Reporter:  chrisrudzki      |       Owner:
     Type:  enhancement      |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Upgrade/Install  |     Version:  3.5
 Severity:  normal           |  Resolution:
 Keywords:  has-patch        |
-----------------------------+------------------------------

Comment (by jtallant):

 Replying to [comment:2 mark-k]:
 > I don't think this is major in any way. User names in wordpress are
 public knowledge (can be retrieved from author page url) so while I agree
 that there is no reason to have a default user name, it doesn't add much
 security (I guess that is the point of this ticket).

 Defaulting the user name to 'admin' is definitely a security issue. That
 user name is being targeted in brute force attacks. If it wasn't being
 targeted, it wouldn't be considered a vulnerability. The fact that other
 user names are discoverable doesn't make it less of a vulnerability, it
 simply points out yet another vulnerability. Why are user names
 discoverable? That's a little silly. Why do users need user names and an
 email address? Why does WordPress tell you when you have guessed the right
 user name but got the password wrong and vice versa?

 Make the user name the email address. Do away with "user name" and add an
 (optional) author name. The author name can be what is displayed publicly,
 the email address should become the login. You could use the first/last
 name as the author name if they provide one and not even have an author
 name (I know these options exist in WP but I'm talking about installation
 fields).

 Instead of yourblog.com/author/username it should work like this...

 If author name exists
         yourblog.com/author/authorname (not the same as your admin log in)

 If no author name exists but a first/last name exists
         yourblog.com/author/first-last

 If no author name and no first/last name.
      yourblog.com/author/1
      1 being the unique id of the user (auto-incrementing id from DB)

 Do this and do away with anything else that makes the user login
 detectable.

 Assuming WP starts defaulting user names to email addresses, some one will
 certainly point out that your email address is probably displayed publicly
 on your site somewhere, and if it is displayed publicly, it can be scraped
 for and used in brute force attacks as well. That is true but I suspect
 this occurs much less often and is more difficult to do than brute forcing
 for admin successfully.

 I think all the changes above should be considered important but I still
 believe enforcing stronger passwords is more important.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/24078#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list