Scanning for ?author= and failed login attempt

Hi leenvr76,

Isn’t this a security issue that should be fixed?

This comes up a lot.

It’s your password that grants you secure access and is why you need to ensure that your passwords are strong.

This explains it better than I could:
https://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-risk
https://halfelf.org/2013/false-security/
https://www.ads-software.com/support/topic/security-issue-37

Thank you, so having exactly the same diplay name, nickname and username, is not considered a security issue also?

No, if you think about how many services use your email address as the username you’ll have to address the same concern.

Well.. hard to understand this is not a security issue.. it should not be possible for anyone to find out the usernames of your site so easily by only adjusting the number of the author.. why not this URL: ?author=username

There are plugins you can use to hide the username: https://www.ads-software.com/plugins/hide-username-front-side/

We’re saying even if your username was completely visible on all parts of your website then it wouldn’t be a security concern.

Think of it this way: my support forum account is jdembowski and more often than not, my account name is jan.

I’m not worried one iota and I’ve not revealed some secret issue making my account insecure. It’s not a security issue because I assume that my user ID is already known. Same with my email address; I’m on too many public lists to worry about that. Though I do try not to post my address ’cause it does increase spam. ??

I use a tool for passwords. Here’s one that I just generated.

^BLSLe]lB2fqwdI6YN

Hmm. The carat symbol bugs me. Let me generate another.

X0]RE5dlkzSn=rRXyZ

That one’s better. I won’t use them but you get the idea. Knowing a user’s ID is a given. They are guessable, are often in a list and cannot be protected. But your password IS protectable. It would take a lengthy amount of time to brute force those passwords.

Yes, I use a backed up, redundant, encrypted tool for my passwords. It’s because I take them seriously that I do that. You don’t have to do that but if you keep strong passwords and don’t share them among your accounts then you should be fine.

Just don’t worry about people knowing your user ID. That’s already a given. ??

The Open Web Application Security Project has a password analyzer. Running your second X0]RE5dlkzSn=rRXyZ password reveals that it would take an organize crime outfit about 165 centuries to crack.

Unique password generators and vaults with one strong memorable master password are definitely a secure option.

Running your second X0]RE5dlkzSn=rRXyZ password reveals that it would take an organize crime outfit about 165 centuries to crack.

Quietly tiptoes away to change all my passwords

WHOA. The other password ^BLSLe]lB2fqwdI6YN takes even longer.

And Andrew? Don’t worry. I already changed your passwords for you. ??

And Andrew? Don’t worry. I already changed your passwords for you. ??

LOL – coffee on my keyboard now