[wp-trac] [WordPress Trac] #24673: provide mainline supported rename of wp-login
WordPress Trac
noreply at wordpress.org
Tue Apr 1 16:06:10 UTC 2014
#24673: provide mainline supported rename of wp-login
--------------------------+----------------------
Reporter: jorhett | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 3.5.2
Severity: critical | Resolution: wontfix
Keywords: close | Focuses:
--------------------------+----------------------
Comment (by jorhett):
Replying to [comment:26 SergeyBiryukov]:
> I'd argue that an authentication request is less expensive than a 404
error page on most sites (3 simple queries vs. 25 or more potentially
complex ones, depending on the theme).
Is anyone here able to make a technical argument? Or must you all resort
to false dilemmas due to the lack of any other way to argue?
1. It would be trivial to replace the current attack points with very low
cost responses.
2. I'd be deeply interested in seeing this reality SergeyBiryukov lives
in, where an uncached authentication request is less expensive than an
answer from cache. Do please do some testing before you make such a claim
as this.
FWIW: I will hereby take the "wontfix" action which you have supplied, and
the contents of this thread, and turn it over to the lawyers who requested
that reasonable efforts be taken to engage with the authors of the botnet
host providers. You have clearly delineated that:
1. No technical solution, only false dilemmas, will be evaluated.
2. You have no interest in stopping this botnet.
It has been growing for years, and this issue in particular has been open
for nine months, and there hasn't been a single considered, thoughtful
response on the topic. I believe you have set the stage quite well for
liability to be applied to you.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24673#comment:29>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list