#5388 closed enhancement (wontfix)
Author Permalink (myblog.com/author/username/) does not help security
Reported by: | enposte | Owned by: | pishmishy |
---|---|---|---|
Milestone: | Priority: | low | |
Severity: | minor | Version: | 2.3.1 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
When pretty permalinks are enabled any hacker can easily find out the usernames used on the blog.
All they have to do is type:
myblog.com/?author=(some_random_id)
and if there is an author with that id, the URL will redirect to:
myblog.com/author/matching_username/
I think it would be more secure if the URL redirected to:
myblog.com/author/author_id/
Change History (9)
#2
@
17 years ago
- Milestone changed from 2.4 to 2.5
- Priority changed from high to low
- Severity changed from critical to minor
#3
@
17 years ago
Surely it makes sense not to advertise your username to a brute force attacker.
But as you pointed out, most users don't bother changing 'admin'. Perhaps there should be a way to rename 'admin' easily.
I'll leave opening that ticket for you though, as I don't want to start another tinfoil hat alert.
#4
@
17 years ago
- Owner changed from anonymous to pishmishy
- Status changed from new to assigned
I'm pretty sure this is a duplicate of another ticket although I can't seem to find it. Either that or it's been discussed to death on the mailing list. :-)
As discussed you don't need to know a user name to brute force an account. I think that renaming the admin account achieves the task at some cost ("Log into your admin account.. I don't have an admin account."). Perhaps the option of enforcing strong passwords would be useful?
#5
@
17 years ago
See #4470 for a related password strength patch. Not entirely happy with that way of doing things.
#6
@
17 years ago
- Resolution set to wontfix
- Status changed from assigned to closed
Closing as wontfix.
Tinfoil hat alert!
Seriously, I don't think this is that big a worry, especially seeing as though we already know that 100% of WordPress installations have an 'admin' user.
It would be nice to have "author slugs" though, but that would be purely for aesthetic reasons.