WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#23043 closed enhancement (duplicate)

user_nicename security problem

Reported by: zsero Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

user_nicename is a security problem. Wordpress is asking a user to set a unique name other than 'admin', and there is absolutely no point doing that, since

  1. user_nicename is visible on every single post
  2. user_nicename is set to username by default (unless someone goes and tweaks the database by hand)

What it means is that WP is making the admin's login name public by default. A very bad security practice, especially since WP fakes the user that by choosing a unique user name he is safe!

Possible solution:

  1. Just remove user_nicename at all. Use display_name for the links on the posts. I'd strongly recommend this solution, since user_nicename is just an old element with no link to the admin interface.
  1. Make it possible to change user_nicename on the admin interface. Much worse solution, since then the user would have to understand all the following: 1. user_login 2. user_nicename 3. display_name 4. nickname - what would be a nightmare.

I think removing user_nicename in future WP versions is the best solution.

Change History (1)

comment:1 @SergeyBiryukov2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.