[wp-trac] [WordPress Trac] #12129: Generic login failure message
WordPress Trac
noreply at wordpress.org
Tue Apr 16 14:14:31 UTC 2013
#12129: Generic login failure message
-------------------------+------------------------------
Reporter: scohoust | Owner: ryan
Type: enhancement | Status: reopened
Priority: low | Milestone: Awaiting Review
Component: Security | Version:
Severity: major | Resolution:
Keywords: 2nd-opinion |
-------------------------+------------------------------
Comment (by Otto42):
Negative, and I would leave this as wontfix.
The simple fact is that no real automated attacks use this information. My
sites don't have an admin user at all, and the no-such-user message is
there for anybody to see. But the bots are stupid and keep hammering away
at it.
Getting a username from elsewhere in the site is trivial. Changing this
message to generic adds no security against bots (because they ignore it
anyway) and no security against real people (who can find the actual
username trivially).
+1 to real-user-friendliness instead.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12129#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list