[wp-trac] [WordPress Trac] #25428: All administrator, authors, usernames able to be discovered

WordPress Trac noreply at wordpress.org
Tue Oct 1 03:47:07 UTC 2013 

#25428: All administrator, authors, usernames able to be discovered
--------------------------+------------------------
 Reporter:  taipo         |       Owner:
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Users         |     Version:  3.6.1
 Severity:  normal        |  Resolution:  duplicate
 Keywords:                |
--------------------------+------------------------

Comment (by taipo):

 I think the reason why we keep submitting this to be fixed is because it
 is now common practice to change the name of the initial admin to
 something obscure, and not use it as the primary username to post from.
 Many users are now setting up another user with the lowest posting role
 possible as their primary posting user to protect any username with
 administrator powers from being discovered and therefore bruteforced. For
 the reasons that 1/ some sites are actually being brute force cracked even
 with what they believe is a difficult to crack passwords, and 2/ webhosts
 tend to find breaches of terms of services faster when its your website
 slowing their servers down, and this leads to your site being removed or
 at least receiving a warning about CPU usage or something similar.

 This is because right now there are a series of botnets brute-forcing
 Wordpress logins in this very fashion, first they scan the first 2-3 user
 id numbers, /i.e /?author=2, /?author=3, etc, then those usernames that
 are discovered from the pages that load from those requests are
 jackhammered until their hashes are cracked. The botnets appear to have a
 lot of resources and are not phased in the slightest by IP banning, but
 they do appear to move on presumably to another site on their list when
 via some clever .htaccess code, we ban access to ?author=(some number).

 Meanwhile the servers on which the WP websites that receive this type of
 attention sit, are receiving denial of service attacks which invariably
 leads to breach of terms of service by the webhosts, and on and on it
 goes.

 So what is needed to prevent this attack is a simple on off setting for
 public viewing of usernames.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/25428#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list