If user "admin" doesn't exist (renamed admin account) users can create a user with username admin

[jobst]

I am not sure whether this is a bug, should be discussed or changed.

I have renamed my "admin" account to something else for security reasons.

I was surprised to see a person being able to create a user with username "admin" due to the email address given "admin@…".

I cannot count the amount of script kiddies trying to get into the installation everyday using 'admin' ... so having a user with username "admin" it is a little bit of a security problem.

Should there not be a way to disable the creation of particular usernames?
Should this be done through wordpress core?

Would this not be a good feature to have that certain usernames cannot be created?

[lukecavanagh]

@jobst

So being able to disallow specific usernames to be a core feature?

[mrtortai]

There are millions of bots targeting WordPress login pages and 'admin' is by far the most common username attempted. A common security recommendation to harden an installation is to change the default 'admin' username to something else.

There are security plugins available which let you block certain usernames. However, I wonder if WP core prevented 'admin' and 'administrator' from ever being used, how it will impact security as well as usability.

I think it could be a boost to security with very little usability impact.

[Presskopp]

I wonder if there are living people called 'Admin'?

​http://www.babynamespedia.com/meaning/Admin

2c

[jobst]

Replying to lukecavanagh:

@jobst

So being able to disallow specific usernames to be a core feature?

Sorry for the delay - been in the country with not so good Internet access.

Yes, @lukecavanagh, disallow specific usernames to be a core feature.

Jobst

[jobst]

Replying to Presskopp:

I wonder if there are living people called 'Admin'?

​http://www.babynamespedia.com/meaning/Admin

2c

@Presskopp, the problem is the username "admin" is the default administrator username and someone being called "Admin" as first name is rather seldom. I'd rather have the core return "not exist" then adding CPU cycles checking the password and returning "username and/or password incorrect".

[jobst]

Replying to mrtortai:

There are millions of bots targeting WordPress login pages and 'admin' is by far the most common username attempted. A common security recommendation to harden an installation is to change the default 'admin' username to something else.

There are security plugins available which let you block certain usernames. However, I wonder if WP core prevented 'admin' and 'administrator' from ever being used, how it will impact security as well as usability.

I think it could be a boost to security with very little usability impact.

Fully agreed.

[Presskopp]

Some 'proof of concept' patch to play around.

[lukecavanagh]

39645.diff​ Patch applies cleanly.

[Presskopp]

Thank you @lukecavanagh , but in this form it will not be translated for example, that's why I'm playing with

$errors->add( 'invalid_username', ( __( 'Security error.') . ' ' . __( 'Cheatin’ uh?') ) );

or we would introduce a new string..

Would be nice to know if this is ending up as a wontfix, but I see some sense in it.

[jobst]

Replying to Presskopp:

Some 'proof of concept' patch to play around.

Looks good!!!
thanks

[Presskopp]

Interesting:
​https://ma.tt/2013/04/passwords-and-brute-force/

[SergeyBiryukov]

#48910 was marked as a duplicate.

[Presskopp]

refreshed patch

[Presskopp]

@noamcleanforestsolutionscom I don't think we need to use strtolower because adMin or aDmIn etc. would not appear to be the real admin account imo.

[jobst]

@Presskopp the fix including the 'strtolower' does not cost lots of space nor does it cost lots of computing power but it helps the admin to have a clean site without a suspicious username.

Keep the 'strtolower' 100%.

[jobst]

I would even go so far as using

strncasecmp(strtolower($sanitized_user_login), 'admin', 5)

for the comparison, anything starting with "admin" would be disallowed.

[Presskopp]

Ok, then if we go into that direction we could also think about using Spoofchecker::isSuspicious

[jobst]

@PressKopp: That too!