[wp-trac] [WordPress Trac] #24078: Remove 'admin' as default username in install
WordPress Trac
noreply at wordpress.org
Mon Jun 10 13:10:01 UTC 2013
#24078: Remove 'admin' as default username in install
----------------------------------------+-----------------------------
Reporter: chrisrudzki | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Upgrade/Install | Version: 3.5
Severity: normal | Resolution:
Keywords: has-patch commit 3.7-early |
----------------------------------------+-----------------------------
Comment (by lovingboth):
Ah, I missed this one when searching to see if it had been done earlier -
thank you ocean90. I am surprised it is so recent.
I cannot believe that any of the developers would suggest that a friend
new to WordPress use 'admin', but this has been what has been happening on
every new site's setup page for the past three years (before then, it was
inflicted on users because they didn't get to choose the initial user
name!) The result is that it's the one that the vast majority of attacks
go for, on the extremely likely to be correct assumption that it's an
administration account on a very large number of sites.
As it is, WordPress suggests you pick an obvious username for the first
administration account, has no password strength enforcement for it, and
then lets attackers have as many attempts at hacking it as they like, as
fast as the webserver will let them. Is that really thought to be a good
idea?
At least this will force attackers to find usernames. This patch should be
in 3.6, and not have to wait for 3.7.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24078#comment:31>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list