[wp-trac] [WordPress Trac] #36648: Suppressed post-usernames are being published on Flipboard user-magazines

WordPress Trac noreply at wordpress.org
Sat Apr 23 04:47:01 UTC 2016 

#36648: Suppressed post-usernames are being published on Flipboard user-magazines
--------------------------+-----------------------------
 Reporter:  CDN WP GUY    |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  4.4.2
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 Hey there.

 So, I assume like many, I changed my dashboard 'admin' default to a harder
 to guess username and then suppressed having that name appear when I post
 as that user on my wp site. Basically it acts like a second level of
 password, you gotta guess the username 1st, then a password if you want to
 try to hack into my site – Feeling all warm and secure.

 Suddenly Flipboard!

 Someone sends me a link to their personal Flipboard magazine (didn't know
 that was possible) and they are pulling content from my wp site. Cool!
 More networking. I check out the link to their Flipboard mag.

 Lo & Behold!  There is my suppressed username published on the Flipboard
 mag for all to see – Feeling violated.

 Contacted Flipboard – final summary from them:

 "In this situation, that is expected behavior. Although it may be
 suppressed in Wordpress, we are pulling an RSS feed that's in our
 database, where "yourusername" is included in the markup, so that will
 display."

 ("yourusername" the username for none to see).

 So RSS feed, markup ... seems WP should be trapping usernames on posts if
 they are suppressed ... and stripping them out of published RSS feeds or
 'markup' – whatever the Flipboard guy is talking about.

 Otherwise, there's not much point in offering the ability to suppress
 usernames on WP posts being published elsewhere. And if we post under a
 suppressed username that we like to log in with, assuming no one will see
 it ... strikes me as a bit of an oops - security wise.

 Thanks for reading!

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36648>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list