WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#24550 closed enhancement (duplicate)

Do not suggest a default username in wp-admin/install.php

Reported by: lovingboth Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.6
Component: Upgrade/Install Keywords:
Focuses: Cc:

Description

By suggesting a user_name of 'admin' for the first user, install.php ensures that 'admin' is by far the most popular target for hack attempts on the almost certainly correct basis that it is probably by far the most popular user_name.

It, and the lack of any password quality enforcement or limiting access to wp-login.php after multiple failed attempts, directly contributes to the large number of hacked WordPress sites. I doubt very much that any WordPress developer would suggest 'admin' if a new user asked them directly what user_name to have, but this has been done via install.php for far too long.

Giving no default user_name will help protect new installations and force attackers to discover valid names.

Attachments (1)

patch.diff (414 bytes) - added by lovingboth 7 years ago.
Just delete the five letters 'admin' from line 88 and 193 of install.php

Download all attachments as: .zip

Change History (2)

@lovingboth
7 years ago

Just delete the five letters 'admin' from line 88 and 193 of install.php

#1 @ocean90
7 years ago

  • Component changed from Security to Upgrade/Install
  • Keywords has-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #24078.

Note: See TracTickets for help on using tickets.