Hello @clp55,
Thank you for taking the time to report a security issue, however, in the future, we do ask that you report suspected security issues responsibly, by emailing security at www.ads-software.com about them directly, instead of posting in a public forum.
To answer your point, WordPress doesn’t consider usernames or user ids to be private or secure information. Here are a few points for your consideration:
1. On most sites, usernames are pretty readily available/visible, and users don’t treat it as private.
2. There are many places where the “username” could be disclosed. Author archives URLs contain it, it’s in the RSS feeds, it’s used in the body_class for author archives, and so forth. All of these actually use the “user_nicename”, but for most cases, this is the same as the username.
3. Most importantly, the username is not actually considered secret information. Disclosure of it is not a security risk.
With regards to the last one, consider what would be the case if the username was actually considered “private” and so strong attempts were made to hide it. In that case, we’d essentially be treating it as if it were a second password. Now, if we assume that the user already has a strong password, then the username-as-a-password is simply an additional bit of information to “add-on” to that existing strong password. So the total password strength is now their existing strong password plus the hidden username.
The problem with this sort of thinking is that, generally speaking, people are trained to pick strong passwords (hopefully), but not to pick strong usernames. So this means that they are going to be picking an easy to use/remember username, which also happens to make it particularly weak as a password. It is better to teach people to pick stronger passwords instead, making the username irrelevant.
The concept of having a second “password” is silly on the face of it, really. Consider the case where instead of a username and a password, we simply had two password fields. You have to know your first password, and your second password. Now, that seems dumb right away, doesn’t it? Because a password has no length limit, you could simply add the two passwords together and put them in one field. So, why have two of them? Similarly, why make your username complicated like a password would be? Just make your password longer and stronger.
Also, let’s consider that the “username” is kind of dead as an identifier at this point anyway. Look at Facebook and Google, for example. They don’t even have usernames, they simply use your email address as the account identifier. WordPress now supports logging in with either a username or email as well. Finding out somebody’s email address tends to be pretty easy (you share yours with everybody you send email to), so are these services insecure because there is no username used on them to begin with?
Keeping the username semi-public at least teaches people that it’s not meant to be hidden, and that they should rely on strong passwords for security. Ideally, we’d slowly phase out username altogether and just use email addresses. At least people usually remember those. Username is really a relic and a way to have friendly identifiers for other purposes (like those Author URLs).
Certainly, you can easily discover that my username on my blog is “otto”, but that doesn’t get you any closer to brute-forcing my 20+ character password, so it’s irrelevant.
Note that WordPress is not the only open source project to believe this. Drupal has similar arguments for the same thing: https://drupal.org/node/1004778