[wp-trac] [WordPress Trac] #24550: Do not suggest a default username in wp-admin/install.php
WordPress Trac
noreply at wordpress.org
Mon Jun 10 09:59:04 UTC 2013
#24550: Do not suggest a default username in wp-admin/install.php
-------------------------+-----------------------------
Reporter: lovingboth | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Keywords: has-patch
-------------------------+-----------------------------
By suggesting a user_name of 'admin' for the first user, install.php
ensures that 'admin' is by far the most popular target for hack attempts
on the almost certainly correct basis that it is probably by far the most
popular user_name.
It, and the lack of any password quality enforcement or limiting access to
wp-login.php after multiple failed attempts, directly contributes to the
large number of hacked WordPress sites. I doubt very much that any
WordPress developer would suggest 'admin' if a new user asked them
directly what user_name to have, but this has been done via install.php
for far too long.
Giving no default user_name will help protect new installations and force
attackers to discover valid names.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24550>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list