WordPress.org

Make WordPress Core

Opened 14 years ago

Closed 14 years ago

Last modified 5 years ago

#5388 closed enhancement (wontfix)

Author Permalink (myblog.com/author/username/) does not help security

Reported by: enposte Owned by: pishmishy
Milestone: Priority: low
Severity: minor Version: 2.3.1
Component: Security Keywords:
Focuses: Cc:

Description

When pretty permalinks are enabled any hacker can easily find out the usernames used on the blog.

All they have to do is type:

myblog.com/?author=(some_random_id)

and if there is an author with that id, the URL will redirect to:

myblog.com/author/matching_username/

I think it would be more secure if the URL redirected to:

myblog.com/author/author_id/

Change History (9)

#1 @enposte
14 years ago

  • Milestone changed from 2.3.2 to 2.4

#2 @JeremyVisser
14 years ago

  • Milestone changed from 2.4 to 2.5
  • Priority changed from high to low
  • Severity changed from critical to minor

Tinfoil hat alert!

Seriously, I don't think this is that big a worry, especially seeing as though we already know that 100% of WordPress installations have an 'admin' user.

It would be nice to have "author slugs" though, but that would be purely for aesthetic reasons.

#3 @enposte
14 years ago

Surely it makes sense not to advertise your username to a brute force attacker.

But as you pointed out, most users don't bother changing 'admin'. Perhaps there should be a way to rename 'admin' easily.

I'll leave opening that ticket for you though, as I don't want to start another tinfoil hat alert.

#4 @pishmishy
14 years ago

  • Owner changed from anonymous to pishmishy
  • Status changed from new to assigned

I'm pretty sure this is a duplicate of another ticket although I can't seem to find it. Either that or it's been discussed to death on the mailing list. :-)

As discussed you don't need to know a user name to brute force an account. I think that renaming the admin account achieves the task at some cost ("Log into your admin account.. I don't have an admin account."). Perhaps the option of enforcing strong passwords would be useful?

#5 @pishmishy
14 years ago

See #4470 for a related password strength patch. Not entirely happy with that way of doing things.

#6 @pishmishy
14 years ago

  • Resolution set to wontfix
  • Status changed from assigned to closed

Closing as wontfix.

#7 @lloydbudd
14 years ago

  • Milestone 2.5 deleted

#8 @SergeyBiryukov
8 years ago

#25428 was marked as a duplicate.

This ticket was mentioned in Slack in #core by swissspidy. View the logs.


5 years ago

Note: See TracTickets for help on using tickets.