Opened 12 years ago
Closed 12 years ago
#23043 closed enhancement (duplicate)
user_nicename security problem
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
user_nicename is a security problem. Wordpress is asking a user to set a unique name other than 'admin', and there is absolutely no point doing that, since
- user_nicename is visible on every single post
- user_nicename is set to username by default (unless someone goes and tweaks the database by hand)
What it means is that WP is making the admin's login name public by default. A very bad security practice, especially since WP fakes the user that by choosing a unique user name he is safe!
Possible solution:
- Just remove user_nicename at all. Use display_name for the links on the posts. I'd strongly recommend this solution, since user_nicename is just an old element with no link to the admin interface.
- Make it possible to change user_nicename on the admin interface. Much worse solution, since then the user would have to understand all the following: 1. user_login 2. user_nicename 3. display_name 4. nickname - what would be a nightmare.
I think removing user_nicename in future WP versions is the best solution.
Change History (1)
Note: See
TracTickets for help on using
tickets.
#20235, #14644