[wp-trac] [WordPress Trac] #56156: Admin UserId revealed

WordPress Trac noreply at wordpress.org
Wed Jul 6 10:25:29 UTC 2022

#56156: Admin UserId revealed
 Reporter:  dlucco             |      Owner:  (none)
     Type:  defect (bug)       |     Status:  new
 Priority:  normal             |  Milestone:  Awaiting Review
Component:  Posts, Post Types  |    Version:  6.0
 Severity:  normal             |   Keywords:
  Focuses:  privacy            |
 Hello, I use Wordfence and I've seen many unathorized access attempts
 where hackers try to guess the admin userid and password. So I always use
 hard-to-guess admin userids and passwords, and do my best effort to keep
 the admin userid hidden. On this website, my admin username is
 DantitoLindoPeshosho, my Nickname is Dan, and in the user profile I've set
 "Display name publicly" to my Nickname = Dan.

 However, I have noticed that, if articles are published by the admin (only
 by him/her most of the times!), hackers can go to an article, check in the
 article's metadata for the author nickname, then go to the HTML source,
 Ctrl+F to find the nickname, and then they will find a link to view all
 posts by that author, which will contain the (admin) userid slug.

 At this point I hope you find a way to fix this, in the meanwhile I will
 create a new userid without admin privileges, and will assign it as author
 of every post.

 I thought this is a security issue and I tried to report it to HackerOne
 WordPress, but it's very confusing unless you are a security specialist.

 Best Regards


Ticket URL: <https://core.trac.wordpress.org/ticket/56156>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list