Admin username leaking through wp-json links in head

  • Resolved barnez

    (@pidengmor)


    8 years, 6 months ago

    In the source code of 2 sites I find wp-json links in the head:

    <head>
.....
<link rel="alternate" type="application/json+oembed" href="https://www.site.com/wp-json/oembed/1.0/embed?url=http%3A%2F%2Fwww.site.com%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://www.site.com/wp-json/oembed/1.0/embed?url=http%3A%2F%2Fwww.site.com%2F&format=xml" />

    These seem to be inserted by WordPress as they remain if I disable all plugins and activate the Twenty-Sixteen theme.

    The links reveal not only the nickname but also the WordPress admin username:

    ..... "author_name":"nickname","author_url":"http:\/\/www.site.com\/author\/admin-username\/" ......
..... <author_name>nickname</author_name><author_url>https://www.site.com/author/admin-username/</author_url> .....

    (where nickname and admin-username are the actual ones used)

    While I know that strong passwords are the main line of defence, and I use login protection to prevent brute force attacks, it seems a little odd that the admin username is so easily found. Isn’t the idea of setting a nickname to protect the admin username is being undermined here?

Viewing 2 replies - 1 through 2 (of 2 total)

  • WordPress uses the author user name for all author related links – simply click on an author profile and you’ll get the same URL, so I don’t think them being added to the header is weakening the security any less.

    Of course, whether using the admin name for URLs generally is the best security method is a different matter. Maybe, separately from the user name, a slug could be introduced (as in posts, pages, etc), which will signify the URL for the user but not necessarily the username.

    Thread Starter barnez

    (@pidengmor)

    Many thanks for your response.

    I’ve resolved this by changing the user_nicename in the wp-users table to match the display_name:

    Now the author url is:

    "author_url":"http:\/\/www.site.com\/author\/nickname\/"
<author_url>https://www.site.com/author/nickname/</author_url>

    I would have assumed that by setting the display name or nickname in the admin profile this would have also been used for the author url. As such, any attempts to prevent username enumeration are futile without this additional measure. My wish list would involve new users being encouraged (obliged?) to set a nickname on original setup, which would then be used as the user_nicename for author-related links.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Admin username leaking through wp-json links in head’ is closed to new replies.