[wp-trac] [WordPress Trac] #27052: Known admin user_id ( = 1 ) could lead to security problems and/or unwanted side-effects

WordPress Trac noreply at wordpress.org
Fri Feb 7 16:09:28 UTC 2014 

#27052: Known admin user_id ( = 1 ) could lead to security problems and/or unwanted
side-effects
-----------------------------+-----------------------------
 Reporter:  ruud@…           |      Owner:
     Type:  enhancement      |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Upgrade/Install  |    Version:  trunk
 Severity:  normal           |   Keywords:
  Focuses:                   |
-----------------------------+-----------------------------
 As mentioned by Pippin Williamson on his Apply Filters podcast (if I
 remember correct), having a admin user_id = 1 could potentially lead to a
 security risk when for instance a plugin uses it the wrong way.
 Also the plugin 'better-wp-security' has an option to change the admin
 user_id to another value.
 These things got me thinking if this could easily be avoided, and I think
 a change to the initial creation of the user table is an easy 'fix' for
 this.

 By creating a random auto_increment value upon installing the website for
 the user table, the subsequent inserted users are getting an id which is
 perfectly OK, but much harder to guess and absolutely not equal to 1.

 Adding the 'AUTO_INCREMENT = value' table option is available in all MySQL
 versions

 Since this could have potential repercussions in other parts of the
 software, I would gladly hear feedback from seasoned developers on this
 topic.

 I tested the initial setup of the site, receiving initial setup email by
 this user and removal/editting of the user with random ID, all seems fine.

 While going through the schema.php file I also did a bit of code cleanup
 according to the coding standards. (going to submit the cleanup as
 separate ticket as well)

 I've added 2 patches:
 - Auto_increment patch
 - Auto_increment_and_cleanup patch

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27052>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list