Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#56156 closed defect (bug) (invalid)

Admin UserId revealed

Reported by: dlucco's profile dlucco Owned by:
Milestone: Priority: normal
Severity: normal Version: 6.0
Component: Posts, Post Types Keywords:
Focuses: privacy Cc:

Description

Hello, I use Wordfence and I've seen many unathorized access attempts where hackers try to guess the admin userid and password. So I always use hard-to-guess admin userids and passwords, and do my best effort to keep the admin userid hidden. On this website, my admin username is DantitoLindoPeshosho, my Nickname is Dan, and in the user profile I've set "Display name publicly" to my Nickname = Dan.

However, I have noticed that, if articles are published by the admin (only by him/her most of the times!), hackers can go to an article, check in the article's metadata for the author nickname, then go to the HTML source, Ctrl+F to find the nickname, and then they will find a link to view all posts by that author, which will contain the (admin) userid slug.

At this point I hope you find a way to fix this, in the meanwhile I will create a new userid without admin privileges, and will assign it as author of every post.

I thought this is a security issue and I tried to report it to HackerOne WordPress, but it's very confusing unless you are a security specialist.

Best Regards

Dante

Change History (1)

#1 @swissspidy
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi there and welcome to WordPress Trac!

The WordPress project doesn’t consider usernames or user ids to be private or secure information. Please read https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue to learn more about why disclosure of usernames or user IDs is not a security issue.

Note: See TracTickets for help on using tickets.