Opened 7 weeks ago
Closed 7 weeks ago
#63441 closed defect (bug) (invalid)
Exposed Users
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | General | Keywords: | |
| Focuses: | Cc: |
Description
WordPress Exposed Users
Publicly exposed usernames and data make it easier to attempt brute-force attacks on the platform.
WordPress Exposed Users Via JSON API
This WordPress server has a configuration which provides a public listing of all WordPress users. This could lead to brute-force, stolen credentials, phishing and other attacks.
Review the wp-json API location.
Consider disabling the WordPress REST API or installing a security plugin.
WordPress Exposed Users Via Author URL
User enumeration is present on the WordPress server. With user enumeration, an attacker can retrieve usernames and make it easier to attempt brute-force attacks on the platform.
Review the specified URL.
Consider disabling user enumeration on your WordPress configuration.
Hi @strahan, welcome to WordPress Core Trac.
The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.
Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.
Instead of attempting to hide a public identifier, WordPress attempts to encourage users to choose strong passwords instead, through both user interface as well as education.
Note that WordPress is not the only open source project to believe this. Drupal has similar arguments for the same thing.