WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 7 months ago

#5388 closed enhancement (wontfix)

Author Permalink (myblog.com/author/username/) does not help security

Reported by: enposte Owned by: pishmishy
Milestone: Priority: low
Severity: minor Version: 2.3.1
Component: Security Keywords:
Focuses: Cc:

Description

When pretty permalinks are enabled any hacker can easily find out the usernames used on the blog.

All they have to do is type:

myblog.com/?author=(some_random_id)

and if there is an author with that id, the URL will redirect to:

myblog.com/author/matching_username/

I think it would be more secure if the URL redirected to:

myblog.com/author/author_id/

Change History (8)

comment:1 enposte6 years ago

  • Milestone changed from 2.3.2 to 2.4

comment:2 JeremyVisser6 years ago

  • Milestone changed from 2.4 to 2.5
  • Priority changed from high to low
  • Severity changed from critical to minor

Tinfoil hat alert!

Seriously, I don't think this is that big a worry, especially seeing as though we already know that 100% of WordPress installations have an 'admin' user.

It would be nice to have "author slugs" though, but that would be purely for aesthetic reasons.

comment:3 enposte6 years ago

Surely it makes sense not to advertise your username to a brute force attacker.

But as you pointed out, most users don't bother changing 'admin'. Perhaps there should be a way to rename 'admin' easily.

I'll leave opening that ticket for you though, as I don't want to start another tinfoil hat alert.

comment:4 pishmishy6 years ago

  • Owner changed from anonymous to pishmishy
  • Status changed from new to assigned

I'm pretty sure this is a duplicate of another ticket although I can't seem to find it. Either that or it's been discussed to death on the mailing list. :-)

As discussed you don't need to know a user name to brute force an account. I think that renaming the admin account achieves the task at some cost ("Log into your admin account.. I don't have an admin account."). Perhaps the option of enforcing strong passwords would be useful?

comment:5 pishmishy6 years ago

See #4470 for a related password strength patch. Not entirely happy with that way of doing things.

comment:6 pishmishy6 years ago

  • Resolution set to wontfix
  • Status changed from assigned to closed

Closing as wontfix.

comment:7 lloydbudd6 years ago

  • Milestone 2.5 deleted

comment:8 SergeyBiryukov7 months ago

#25428 was marked as a duplicate.

Note: See TracTickets for help on using tickets.