Security Issue

  • Greetings WordPress developers.
    Excellent work on the best CMS available! However, there’s an issue/vulnerability I have discovered that is becoming well known by would-be-hackers.

    By default, upon completing a fresh WordPress install, WordPress assigns the users login name as the user “nice name”. (Unless changed upon install the default is “Admin” and most people know to change this)
    The [nice name/user login name]can easily be discovered simply by viewing the users profile, hence, making the hacking process one step easier because now would be hackers only have to figure out the password…
    Despite the fact that you change the user name to a nickname or other option in the profile settings, the default “nice name” does not update in the data base.

    Currently the only way to change the nice name from the login name is to go into php My Admin and manually change it. I’m guessing that for 90% of WordPress users this is not even known or otherwise an option…

    Please consider some sort of update to address this serious vulnerability.

    Thanks

Viewing 6 replies - 1 through 6 (of 6 total)

  • because now would be hackers only have to figure out the password

    As has been pointed out many, many times previous, it is your password that secures your site – not your user name

    Thread Starter Scott

    (@scooter1)

    As has been pointed out many, many times previous, it is your password that secures your site – not your user name

    Seriously?
    I find this unacceptable! Do you realize how fast a “brute force” attack on a WordPress site can crack ANY password?

    Preserving the integrity of the two-step (user name / password) login process should be at the heart of WordPress security and another reason to use WordPress.

    With all due respect, someone can come up with a better response than

    it is your password that secures your site – not your user name

    Seriously?

    Yes. Seriously.

    Do you realize how fast a “brute force” attack on a WordPress site can crack ANY password?

    There are plugins that can protect against brute force login attacks.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    Also it doesn’t default to admin anymore and hasn’t for a while. A brute force attack will crash your site, regardless of if they’re hammering a real id or not, even with plugins.

    It’s like… Look, you log in to gmail with your gmail address, which anyone who has talked to you will know. That’s always going to be a thing. The best way to protect yourself is with good passwords, tfa, and firewalls.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    I find this unacceptable! Do you realize how fast a “brute force” attack on a WordPress site can crack ANY password?

    Yes. That’s why this article is often referred to.

    https://codex.www.ads-software.com/Brute_Force_Attacks

    It’s never been your userid that is the source of security and bots sweep for weak passwords all the time non-stop. That’s not a vulnerability that’s just a reality of being on the Internet. Examine your ssh login attempts just to confirm that.

    The Login Limit Attempts plugin is really good for that but if you’re really concerned about it then I encourage you to examine 2 factor authentication plugins.

    Thread Starter Scott

    (@scooter1)

    Nice to know…

    I’ve been using the wordfence security plugin and the number of failed log ins (and subsequent lockouts) is ridiculous as of late! All ip’s outside the US are permanently blocked.
    For the record, all my WordPress passwords are at least 24-36 alpha/numeric/spec character created by LastPass.

    Thanks for the feedback.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Security Issue’ is closed to new replies.