WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#36648 closed defect (bug) (wontfix)

Suppressed post-usernames are being published on Flipboard user-magazines

Reported by: CDN WP GUY Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.2
Component: Users Keywords: close
Focuses: Cc:

Description

Hey there.

So, I assume like many, I changed my dashboard 'admin' default to a harder to guess username and then suppressed having that name appear when I post as that user on my wp site. Basically it acts like a second level of password, you gotta guess the username 1st, then a password if you want to try to hack into my site – Feeling all warm and secure.

Suddenly Flipboard!

Someone sends me a link to their personal Flipboard magazine (didn't know that was possible) and they are pulling content from my wp site. Cool! More networking. I check out the link to their Flipboard mag.

Lo & Behold! There is my suppressed username published on the Flipboard mag for all to see – Feeling violated.

Contacted Flipboard – final summary from them:

"In this situation, that is expected behavior. Although it may be suppressed in Wordpress, we are pulling an RSS feed that's in our database, where "yourusername" is included in the markup, so that will display."

("yourusername" the username for none to see).

So RSS feed, markup ... seems WP should be trapping usernames on posts if they are suppressed ... and stripping them out of published RSS feeds or 'markup' – whatever the Flipboard guy is talking about.

Otherwise, there's not much point in offering the ability to suppress usernames on WP posts being published elsewhere. And if we post under a suppressed username that we like to log in with, assuming no one will see it ... strikes me as a bit of an oops - security wise.

Thanks for reading!

Change History (4)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Users

Hi CDN WP GUY, welcome to Trac!

Otherwise, there's not much point in offering the ability to suppress usernames on WP posts being published elsewhere. And if we post under a suppressed username that we like to log in with, assuming no one will see it ... strikes me as a bit of an oops - security wise.

WordPress core does not offer such an ability, as usernames are considered public information, and disclosing them is generally not a security issue.

See comment:1:ticket:34836, comment:1:ticket:33056, and the tickets linked there.

#2 @CDN WP GUY
4 years ago

Thanks for the reply Sergey.

I didn't realize the design philosophy is that usernames are public info, so I get it. Suppressing the display of the username making a posting... is purely for aesthetic reasons.

Logging into my wp site's dashboard, I had been considering the 'username' field to be an additional security measure (in addition to the password) since it was a blank field. I guess the username field could actually be replaced with a drop down menu of existing valid usernames instead.

Thanks. CWG

#3 @rachelbaker
4 years ago

  • Keywords close added

#4 @swissspidy
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.