Opened 12 years ago
Closed 12 years ago
#24550 closed enhancement (duplicate)
Do not suggest a default username in wp-admin/install.php
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.6 |
Component: | Upgrade/Install | Keywords: | |
Focuses: | Cc: |
Description
By suggesting a user_name of 'admin' for the first user, install.php ensures that 'admin' is by far the most popular target for hack attempts on the almost certainly correct basis that it is probably by far the most popular user_name.
It, and the lack of any password quality enforcement or limiting access to wp-login.php after multiple failed attempts, directly contributes to the large number of hacked WordPress sites. I doubt very much that any WordPress developer would suggest 'admin' if a new user asked them directly what user_name to have, but this has been done via install.php for far too long.
Giving no default user_name will help protect new installations and force attackers to discover valid names.
Just delete the five letters 'admin' from line 88 and 193 of install.php