WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 2 years ago

#39645 new defect (bug)

If user "admin" doesn't exist (renamed admin account) users can create a user with username admin

Reported by: jobst Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7.1
Component: Users Keywords:
Focuses: Cc:
PR Number:

Description

I am not sure whether this is a bug, should be discussed or changed.

I have renamed my "admin" account to something else for security reasons.

I was surprised to see a person being able to create a user with username "admin" due to the email address given "admin@…".

I cannot count the amount of script kiddies trying to get into the installation everyday using 'admin' ... so having a user with username "admin" it is a little bit of a security problem.

Should there not be a way to disable the creation of particular usernames?
Should this be done through wordpress core?

Would this not be a good feature to have that certain usernames cannot be created?

Attachments (1)

39645.diff (1.2 KB) - added by Presskopp 3 years ago.

Download all attachments as: .zip

Change History (12)

#1 follow-up: @lukecavanagh
3 years ago

@jobst

So being able to disallow specific usernames to be a core feature?

#2 follow-up: @mrtortai
3 years ago

There are millions of bots targeting WordPress login pages and 'admin' is by far the most common username attempted. A common security recommendation to harden an installation is to change the default 'admin' username to something else.

There are security plugins available which let you block certain usernames. However, I wonder if WP core prevented 'admin' and 'administrator' from ever being used, how it will impact security as well as usability.

I think it could be a boost to security with very little usability impact.

#3 follow-up: @Presskopp
3 years ago

I wonder if there are living people called 'Admin'?

http://www.babynamespedia.com/meaning/Admin

2c

#4 in reply to: ↑ 1 @jobst
3 years ago

Replying to lukecavanagh:

@jobst

So being able to disallow specific usernames to be a core feature?

Sorry for the delay - been in the country with not so good Internet access.

Yes, @lukecavanagh, disallow specific usernames to be a core feature.

Jobst

#5 in reply to: ↑ 3 @jobst
3 years ago

Replying to Presskopp:

I wonder if there are living people called 'Admin'?

http://www.babynamespedia.com/meaning/Admin

2c

@Presskopp, the problem is the username "admin" is the default administrator username and someone being called "Admin" as first name is rather seldom. I'd rather have the core return "not exist" then adding CPU cycles checking the password and returning "username and/or password incorrect".

#6 in reply to: ↑ 2 @jobst
3 years ago

Replying to mrtortai:

There are millions of bots targeting WordPress login pages and 'admin' is by far the most common username attempted. A common security recommendation to harden an installation is to change the default 'admin' username to something else.

There are security plugins available which let you block certain usernames. However, I wonder if WP core prevented 'admin' and 'administrator' from ever being used, how it will impact security as well as usability.

I think it could be a boost to security with very little usability impact.

Fully agreed.

@Presskopp
3 years ago

#7 follow-up: @Presskopp
3 years ago

Some 'proof of concept' patch to play around.

#8 @lukecavanagh
2 years ago

39645.diff Patch applies cleanly.

#9 @Presskopp
2 years ago

Thank you @lukecavanagh , but in this form it will not be translated for example, that's why I'm playing with

$errors->add( 'invalid_username', ( __( 'Security error.') . ' ' . __( 'Cheatin’ uh?') ) );

or we would introduce a new string..

Would be nice to know if this is ending up as a wontfix, but I see some sense in it.

#10 in reply to: ↑ 7 @jobst
2 years ago

Replying to Presskopp:

Some 'proof of concept' patch to play around.

Looks good!!!
thanks

Note: See TracTickets for help on using tickets.