Opened 2 years ago
Closed 2 years ago
#56156 closed defect (bug) (invalid)
Admin UserId revealed
Reported by: | dlucco | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 6.0 |
Component: | Posts, Post Types | Keywords: | |
Focuses: | privacy | Cc: |
Description
Hello, I use Wordfence and I've seen many unathorized access attempts where hackers try to guess the admin userid and password. So I always use hard-to-guess admin userids and passwords, and do my best effort to keep the admin userid hidden. On this website, my admin username is DantitoLindoPeshosho, my Nickname is Dan, and in the user profile I've set "Display name publicly" to my Nickname = Dan.
However, I have noticed that, if articles are published by the admin (only by him/her most of the times!), hackers can go to an article, check in the article's metadata for the author nickname, then go to the HTML source, Ctrl+F to find the nickname, and then they will find a link to view all posts by that author, which will contain the (admin) userid slug.
At this point I hope you find a way to fix this, in the meanwhile I will create a new userid without admin privileges, and will assign it as author of every post.
I thought this is a security issue and I tried to report it to HackerOne WordPress, but it's very confusing unless you are a security specialist.
Best Regards
Dante
Hi there and welcome to WordPress Trac!
The WordPress project doesn’t consider usernames or user ids to be private or secure information. Please read https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue to learn more about why disclosure of usernames or user IDs is not a security issue.