#20235 closed enhancement (wontfix)
the_author_posts_link() generates links with username instead of display name - this is insecure
Reported by: | asdfasd567 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.3.1 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
Any instance of using username instead of display name is susceptible to the same vulnerabilities that leaving your username as "admin" is.
Suggest changing this, starting with the most common functions like the_author_posts_link() so the links generated aren't http://foo.com/author/MySecretUsername
http://wordpress.org/extend/plugins/display-name-author-permalink aims to fix this, but it throws an error on activation.
Possible to make this part of core?
Change History (14)
#2
@
12 years ago
- Cc zodiac1978 added
+1 on this.
For example: My username ist "foo" and I have set "Display name publicly as": "bar"
Then I expect that my username "foo" is not displayed anymore. Not in comment classes and not in author urls. It has to be "bar" in these cases.
This plugin provides a way to rename the author slug:
http://wordpress.org/extend/plugins/edit-author-slug/
But the core problem remains.
#5
@
12 years ago
- Milestone Awaiting Review deleted
- Resolution set to wontfix
- Status changed from new to closed
#6
@
12 years ago
All bugreports which are reporting things like this are closed and set to "wontfix".
Could anyone please tell a newbie why you won't fix this. Much appreciated! Thanks in Advance.
Many security posts, plugins, etc. are suggesting to change the "admin" username to something else. If I rename it, I should protect the new name and just use the nickname in public.
If the reason is just: There are other possibilities to get the username (e.g. example.com/?author=1), why don't we close all of it?
#7
@
12 years ago
The Display Name field is used to display on the front end of the site, ie. beside "This post was written by: Some Awesome Person". That can be changed at any time. The username is used within the URL as it doesn't change - http://example.com/author/dd32 is always me, regardless of if my Display name is 'Dion', 'dd32', or 'Awesome Blogger'.
It has been stated in previous tickets, "leaking" of the username is not deemed a security issue by WordPress.org, as it's a conscious decision to use the username as the slug in the URL, If you don't like this default behaviour, there are plugins in the repository which allow you to change the url format to your preferred layout.
Instead of attempting to provide security by forcing people to guess your username (Which btw, is incredibly easy in most cases, as people are not that inventive) you should be focusing on improving passwords, and/or considering 2 factor authentication (ie. Google Authenticator) if your passwords are known to be insecure/weak.
#8
follow-ups:
↓ 9
↓ 12
@
12 years ago
Thanks dd32!
Do you have a link to this previous tickets where this issue has been discussed? Would be great!
#9
in reply to:
↑ 8
;
follow-up:
↓ 10
@
12 years ago
- Cc csimmonswork@… removed
Replying to zodiac1978:
Thanks dd32!
Do you have a link to this previous tickets where this issue has been discussed? Would be great!
He literally just discussed it.
#10
in reply to:
↑ 9
@
12 years ago
Replying to asdfasd567:
Replying to zodiac1978:
Thanks dd32!
Do you have a link to this previous tickets where this issue has been discussed? Would be great!
He literally just discussed it.
Indeed. Just thought, it couldn't be a bad idea to read the whole story/arguments. Just want to learn ...
#12
in reply to:
↑ 8
@
11 years ago
Replying to zodiac1978:
Do you have a link to this previous tickets where this issue has been discussed? Would be great!
See comment:3.
I would like to second this or have some discussion. Exploit scanners now crawl usernames to facilitate brute force attacks and
the_author_posts_link()
does not provide a way to use "display name".