Theme leaks username, even when nickname is set

  • Resolved barnez

    (@pidengmor)


    8 years, 6 months ago

    Hi,

    I have noticed that this theme is leaking my WordPress username in the page source, even where I have a nickname set in the profile. See <a class="url fn n" href="https://www.xxxx.com/author/username/" title="View all posts by nickname">Nickname</a></span> here, where username is my WordPress admin username:

    <header class="entry-header">
				<h1 class="entry-title">xxxx xxxx xxxx</h1>

				<div class="entry-meta">
			<span class="date"><a href="https://www.xxxx.com/xxxx-xxxx/" title="Permalink to xxxx xxxx xxxx" rel="bookmark"><time class="entry-date published" datetime="2015-07-06T08:37:49+00:00">July 6, 2015</time><time class="updated" datetime="2015-12-07T21:23:01+00:00">December 7, 2015</time></a></span><span class="author vcard"><a class="url fn n" href="https://www.xxxx.com/author/username/" title="View all posts by nickname">Nickname</a></span>

    In the interests of credentials’ security, is there anything in the theme settings where this output can be disabled? Or a filter for functions.php to remove it?

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi @barnez,

    I can see from your other thread that you resolved this by changing the user_nicename field to match your display name in your database.

    I also found some previous discussions that you were involved with around the security of public usernames.

    As you know, WordPress does not consider publicly available usernames to be a security risk by themselves. The accompanying passwords are key to security and we also recommend two-step authentication to prevent hackers from logging into your account.

    I can tell that this is something that you’ve thought about a lot, though, and am glad you’ve been able to find a solution that works for you.

    Regarding this:

    My wish list would involve new users being encouraged (obliged?) to set a nickname on original setup, which would then be used as the user_nicename for author-related links.

    You may wish to open a new ticket on Trac or go to WordPress Slack to discuss the possibility with the community that makes WordPress.

    Thread Starter barnez

    (@pidengmor)

    @siobhan Bamber

    Many thanks for getting back on this, and for posting the links to the related discussions. Yep, I do seem to be predisposed to pouncing on-board security-related topics ??

    I do get the WordPress policy of focusing on strong passwords, and use a password manager for all my passwords, but I can err towards belt and braces, hence my concern over the username leak when I had set up the nickname in the profile.

    As you’ve noticed, I have taken simple steps to resolve this in the users table, and take back my original belief that Motof was responsible for this.

    Keep up the great work, and thanks for the Slack suggestion.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Theme leaks username, even when nickname is set’ is closed to new replies.