Regarding JSON user list API “Non-vulnerability”

  • Resolved ditchmonkey

    (@ditchmonkey)


    4 years, 9 months ago

    It seems that the issue of the JSON user list API has been discussed many times and that the WP development team considers this to be “working as intended”. I want to add a few points of feedback regarding this issue:

    1. Your own security recommendations include renaming the admin username. This suggestion loses most of its effectiveness when the alternative username can be easily looked up.

    2. As a confirmation of #1, I use a login attempt logger and sure enough, brute force attacks have shifted to the new admin user name.

    3. I would have never known about this publicly accessible list of users if not for my diligence in logging and observing failed login attempts. Yes I can resolve this with a plugin, but the vast majority of WP users, even those taking extra security precautions like renaming admin accounts, are never going to know about this “non-vulnerability”.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    1. If you watch any of Aaron Campbell’s talks on wordpress.tv, you’ll see that he no longer regards “admin” as a user ID as a security issue.

    2. Brute force attacks are easily limited. There’s a large number of plugins that will do so. (I use WordFence.)

    3. See #1. Note that WordFence will block an enumeration of users for non-logged in connections.

    Thread Starter ditchmonkey

    (@ditchmonkey)

    1. Your response is at odds with the official security recommendations made by www.ads-software.com

    When creating an administrative account, avoid easily guessed terms such as admin or webmaster as usernames because they are typically subject to attacks first

    Hardening WordPress

    Regarding your #3, as I mentioned people are following the official security instructions, not knowing they are being undermined by this user name issue.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Meh.:-) Removing “admin” is window dressing. Probably, the docs team needs to review that. I’ll ping them about it.

    The userid for my website is “sstern”. Telling you that does not concern me.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    WordPress has not used “admin” as a default username for 7+ years now. Some documentation is old, and these things are to be expected.

    Your username is not a secret. Treating it as such doesn’t improve security as long as your password can be as long as you want it to be.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Regarding JSON user list API “Non-vulnerability”’ is closed to new replies.