[wp-trac] [WordPress Trac] #12129: Generic login failure message

WordPress Trac noreply at wordpress.org
Tue Apr 16 14:14:31 UTC 2013


#12129: Generic login failure message
-------------------------+------------------------------
 Reporter:  scohoust     |       Owner:  ryan
     Type:  enhancement  |      Status:  reopened
 Priority:  low          |   Milestone:  Awaiting Review
Component:  Security     |     Version:
 Severity:  major        |  Resolution:
 Keywords:  2nd-opinion  |
-------------------------+------------------------------

Comment (by Otto42):

 Negative, and I would leave this as wontfix.

 The simple fact is that no real automated attacks use this information. My
 sites don't have an admin user at all, and the no-such-user message is
 there for anybody to see. But the bots are stupid and keep hammering away
 at it.

 Getting a username from elsewhere in the site is trivial. Changing this
 message to generic adds no security against bots (because they ignore it
 anyway) and no security against real people (who can find the actual
 username trivially).

 +1 to real-user-friendliness instead.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/12129#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list