WP 4.3.1 still allows visibility of admin usernames
-
Hello.
After creating a Post, the post includes “By ____” which shows the WP admin’s NICKNAME. This is fine, as it is very different from the actual WP Admin USERNAME.
The issue is that HOVERING over the “By ___” reveals the actual WP Admin Username in the browser!
As we all agree, this is a security flaw, since it reveals 50% of the logon credential to a would-be hacker.
Screenshot: https://postimg.org/image/6oxpfigk9/
Please advise.
-
You could HACK core Or you could change it by changing the display name in the users profile.
Your statement is wrong.
Out of the box WP creates user_login, user_nicename, display_name.
All three are the same.Changing the display name in the users profile. as you put it, changes display_name.
Automated user enumeration reads user_nicename, not display_name.
@tim Nash – thanks for the constructive feedback and support.
I recently came across this plugin. Has anyone leveraged it with success? It seems to encompass a range of security features: “all-in-one-wp-security-and-firewall”
https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/
@iframe – are you in agreement that my suggestion will not cause issues and may, in fact, be a noteworthy change?
I am contemplating making an additional albeit experimental change, by directly (myPhpAdmin) editing the “user_nicename” database column’s value in WP_USERS table, for the Admin user. Presently, its value is the SAME as the username and I plan to change it to the same value as the account’s Nickname which, in my case, is purposefully dissimilar to the username. This is just in case the “nicename” is shown anywhere within WP or the plugins I’ve engaged.
2016-Apr-10: I wanted to circle back and update readers that the above idea works perfectly, even after Posts have been published.
Simply log into phpMyAdmin, select your WP database, browser the WP_USERS table, and alter (for every user) the “user_nicename” value to something different than the actual login name .. and, of course, unique across all records in this table.
In my opinion, this action should be completed IMMEDIATELY after creating a new username .. and certainly BEFORE exposing your website to search engine crawlers.
I performed a test, by posting TWO articles – one with a WP User “my-test-user” whose “user_nicename” value was the same as their login name. Google results included both articles and, in particular, the article published by the aforementioned user revealed their username as such:
https://mydomain.com/author/my-test-user/
Supporting articles for manually editing the “user_nicename” value:
https://www.ads-software.com/support/topic/how-can-i-change-the-user_nicenamehttps://itpixie.com/2012/10/hide-your-wordpress-login-from-author-archive/#.VcO2lM_JC9I
Granted, there are other more promising means to protecting one’s WordPress security (as outlined throughout this post). However, I do not understand why WordPress has not taken measures to fix this “information leak”.
On a related note, I may also try an online scanning service such as this free 14-day trial with Acunetix (formerly WebsiteDefender.com).
To those interested, here’s a related article posted today, covering WordPress and WooCommerce topics “Post-launch security steps to take in WooCommerce“.
However, I do not understand why WordPress has not taken measures to fix this “information leak”.
Mainly because it’s as much an information leak as your site name. Or URL. Or
/wp-admin/
. Or/wp-login.php
as in “It’s not, nor has it ever been an information leak or has any security risk at all.”*Drinks coffee*
Simply log into phpMyAdmin, select your WP database, browser the WP_USERS table, and alter (for every user) the “user_nicename” value to something different than the actual login name .. and, of course, unique across all records in this table.
All database entries are accessible via the WordPress API. Have you considered writing a plugin that sets a user option of “nice_name_obfuscated” and hooks into the wp_create_user()?
https://codex.www.ads-software.com/Function_Reference/wp_create_user
I’ve not tried (this is NOT a security issue not matter how many times it comes up) but recommending users edit raw database fields is not necessarily a safe thing to do.
The idea is that when a user is created mung the nice name at the time of creation.
*Drinks more coffee*
It’s still a poor idea but a plugin would be safer than phpMyAdmin.
@jan Dembowski: Revealing usernames actually is a security risk, and those saying that it’s 50% of what a hacker needs to access to access your site (at least that particular entry point) are 100% correct.
I’ve had to address this issue a lot lately, so here I go again. I apologize in advance if any of this offends you. Just know that I don’t mean any of it personally.
Security is not binary. It is not on or off, black or white.
Security is about reducing risk and lowering the statistical probability of a successful attack. You can never eliminate risk fully, and there is no such thing as 100% impenetrable security, even with the best measures in place.
It should never, ever be said, “that’s not a security risk,” because anything, when leveraged properly, can be a security risk.
The only way security could ever be binary, on or off, black or white, was if there were truly only one entry/exit control point, and you could devise a perfectly secure system. That will never exist. ANYTHING can be broken into…ANYTHING can be hacked. There is always someone out there with the skills to beat your best defenses. It is extremely important for system administrators, web developers, and security experts to humbly admit that.
While I was deployed, we had to be keenly aware of that fact as our lives depended on it. If we ever forgot that, or started to adopt an attitude of hubris, it would have been game over. The unit that replaced us when we came home adopted that exact attitude of hubris and ignored what we taught them, and they lost a lot of guys in the first few weeks they were there. Physical security, communications security, and IT security require understanding the exact same principles and require the same kind of vigilance.
I’ve personally discovered and reported major security flaws in tons of “secure” systems. In the last two weeks alone, 2 of those were web hosting companies.
Because it is about reducing risk, security is more accurately measured in percentages. Because it’s not possible to ever hit 100%, no system should ever be labeled “secure”.
It’s not a security flaw and has never been one.
That is absolutely incorrect, and saying it doesn’t simply make it true. If you’re going to say things like that, then you need to back it up with some references, quote some security experts with a proven track record. (And they can’t be associated with WordPRess…no cheating.) If you can find something to back that up , I will gladly eat my words and send you a case of your favorite beer. ?? You won’t find it though.
Think of username and password as two individual keys that are needed to access a site, because that’s exactly what they are. You have to have both to enter.
- Can you enter if you only have the password? No
- Can you enter if you only have the username? No
It’s mathematical and has to do with the probability I mentioned above.
If an attacker were trying to brute-force your site, they would have to try a nearly infinite combination of usernames and passwords. Even though there are only two keys needed, there are additional variables of each key that can change that increase the difficulty.
For one, the attacker does not know the length of the username key or the length of the password key. With each additional character added to the length, the difficulty is increased exponentially because the number of combinations to test is increased exponentially. The difficulty is also affected by what character sets are used. For example, does it use only lowercase, lowercase and uppercase, numbers, symbols, alternate alphabets and character encodings?
Without the username, it has a low probability of success, and would require too much bandwidth and time, so it’s not practical. Most brute password attempts are not doing this though. They test a combination of commonly used default usernames, and then when WordPress gives them the feedback that they hit the right one (because it does reveal this), then they go to work on the password. If it isn’t any of those, they will move on.
Once the attacker has the correct username, the difficulty has been reduced exponentially, and the likelihood of success has increased exponentially. So in reality, getting the username is closer to having 75% of what is needed to be successful.
The other thing to keep in mind is that whether in real life or the digital world, the longer an attack takes, its likelihood of success drops exponentially over time. Attackers have to get it done quick before they get discovered, blocked, caught, etc…or before it becomes too expensive (bandwidth, etc) to be practical.
Any reputable security person would tell you that the items you cannot protect have nothing to do with security.
I’m not sure what “reputable” security people you’ve been talking to, but that isn’t even close to accurate. There are no items you cannot protect. If it’s in your possession, you can protect it.
Again, if you back up a statement like that with references, please do.
Zero, that’s like arguing that your company’s address is half of letting people in the front door.
Yes and no. Technically, it is absolutely correct that limiting knowledge of a location would reduce the possibility of an attack. (I’m a combat veteran, and know what I speak of here.) Where your analogy falls short is that having an address does not provide access where username/password combos do provide access. Unless you have an unusual setup at your building, the key and door is a single key entry system. That would be like a site that required a password, but no username. (One key)
It’s the doors with locks that keep them out.
This also is a false security idea. A lock is a single key, so it is weak security. Saying that your building is secure because it is locked, makes an assumption that: 1) The door is the only way in, and 2) that the attacker is too polite to kick your door in. There are a million ways into a building (windows, conduits, etc), and attackers are never polite (whether thieves or hackers).
You don’t think a company publishing their street address is a risk, do you?
Again yes and no. When you consider that security involves probability, then technically it IS a risk, because limiting knowledge of the address would reduce the likelihood of a successful attack. But there is an opportunity cost associated with that…it would do more harm than benefit to your business because no one would know where to find you to buy your excellent wares or services. Same thing with a website. Keeping your site address secret would only harm your business, so that’s not practical. So it’s not that publishing your street address is NOT a risk, but rather, acknowledging that it IS a risk (however potentially low), deciding whether risks outweigh benefits or vice versa and then figuring out ways to mitigate that risk.
If you want to hide the author slugs and URLs then you can. But not hiding them doesn’t make anyone’s installation less secure.
Again, this is simply not true. Security best practices require preventing data leakage and limiting information to those who need it.
I realize I’ll probably get banned and exiled to the equivalent of www.ads-software.com Siberia, but this all needs to be said. No offense is meant.
I just find that too many people associated with WordPress have adopted some really unhealthy and inaccurate security ideas, and are passing them around like they are absolute truth and cannot be challenged.
It would be one thing for you all to keep saying these things if WordPress had a great security track record, but every single version released in the last couple years (with the exception of the very most recent minor releases in each branch) has had major security vulnerabilities discovered within weeks. So you can’t keep saying these things…they are simply not true.
It’s time for the WordPress community to start taking security much more seriously, time for some increased education on security, and time for a dramatic hardening of the WordPress core.
Come to think of it, this thread would probably make an excellent starting point for a blog post.
@jan Good discussion on Twitter. You all missed out on some good debate. ?? Turns out we’re not so opposed, lol.
@scott I agree 100% with you and the analogies you made. Still not sure what you meant by “good discussion on Twitter”, since from here it looks like you and Jan still have diametrically opposite points of views. ??
My point of view: I see security as a mathematical and probability thing, like you do. I don’t think it’s a good idea for anyone to assume that a revealed username is not a security flaw — however tiny of a security flaw it might appear to be with a strong password. If the username being revealed is not a security flaw, then (to those who share Jan’s point of view) tell me why hackers would even bother taking time to try to find actual usernames by doing this:
Briefly: if hacker types in yourdomain.com/?author=1 they get forwarded to a page listing all posts by the author with ID #1 (if one exists). The new URL has the username in it and any hacker can simply go from ?author=1 to ?author=10000 with a quick script and gather all usernames in your entire site.
Now take that one step further. If you’re a big company, you have a database with thousands of users. There might be a user that has a weak password on your website. That might be the weak link. The hacker who successfully breaches that user’s password and breaks in can then inject malware that can spread beyond that user’s files and database. That’s one reason hosts (especially on shared servers) will quarantine / shut down the infected website when a hacker has broken in. Couldn’t this have been easily avoided if the hacker didn’t know the username when the password was a very weak one? If one user’s password is weak (and you can’t reasonably expect everyone to use a strong password unless a strong password is enforced), then it is a security flaw for the username to be known. This could’ve been easily prevented if the username was unknown.
Such as with this htaccess code, for example:
# Stop wordpress username enumeration vulnerability
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ https://yoursite.com/somepage/? [L,R=301]Note how it’s called a “vulnerability”.
What may seem like a minor issue with just one user (especially a tech savvy one) can become a problem when several users (or even just one user using an easily guessed password) are involved. Two-factor authentication really helps, but not everyone uses it. Many users aren’t very computer literate and use weak passwords that can be broken via dictionary password brute force attacks. To protect these types of users from such a widespread method of hacking, it’s probably better to consider usernames revealed unnecessarily as a security flaw that could have be easily addressed. Only the administrators and the user himself/herself should be able to see the username in question. Why the public needs to know your front end login username associated with a password, makes absolutely no sense. That’s what display names are for.
@scott Allen – Thank you – first and foremost for your service to the USofA (you mentioned being deployed). Secondly, thank you for the verbose feedback and your support of this seemingly-controversial subject.
I, too, was perplexed, after seeing some of the facile (perhaps even discourteous) responses this thread has received. It was as if the subject matter was personally insulting to the almighty WordPress establishment itself. My only goal was / is to chime-in and continue to raise awareness and visibility of this factual issue with WordPress security. Yes; it’s come a long way .. but much more needs to be done. And there are too many 3rd-party services offering plug-in or similar support, acting as band-aids, which merely serves as empirical evidence on this overall point.
In regard to the Username dataleak, intrinsic to WordPress, I’ve worked for numerous, global companies who took EVERY precaution not to have Usernames exposed to the public .. or even a corporate passer-by. Was it 100% foolproof? Of course not .. but RISK and COMPLIANCE still considered it mandatory. The best option is to cover as many bases as one can, within reason.
As you pointed out, and not unlike other software, the WordPress platform has suffered numerous and significant breaches – many of which received publicity, whether due to WordPress itself or a 3rd party plugin/extension. When I suggest the WordPress platform to my more savvy clients, that’s their FIRST reaction. I spend the first part of my sales pitch, deescalating their valid and founded concerns.
I don’t wish to be misunderstood. I love WordPress, as much as the next developer, and have earned some decent coin working on client projects. Yet, in the same breath, the client perceives the final solution as a reflection of MY services. Hence, if it’s insecure, clients will blame me. In fact, a good friend and full-time WP developer was overburdened in 2015-Q3/Q4, after a publicized exploit of WordPress impacted their clients and resulted in bringing their business to a grinding halt while amends were made to each and every client’s site .. and many clients felt obligated to have the work performed pro bono.
While I am not sure that this particular (one of MANY) threads is the most beneficial place for ongoing, transparent discussion .. perhaps you can start a new domain where WP devs may congregate and constructively share working examples of applied WP Security?
While unrelated to the above, security doesn’t end here. As developers, we also have the responsibility to secure and protect our client’s credentials on our local or cloud-based development machines. Aside from the client’s admin credential, the WP-CONFIG.PHP file contains their WordPress credentials and other sensitive data. For example, I choose to ZIP-encrypt that file, once development concludes. I mentioned this to another avid, professional WP developer who, admittedly, never gave that a moment’s thought. Should their dev environment be compromised (and, let’s face it, everything is being hacked today), all of their client’s data would have been compromised, in one felled swoop.
That was a fun discussion. People can disagree respectfully and that happened on Twitter.
25 words or less: If you cannot guarantee that it will not get out, then your username should not be part of your security strategy.
That’s 21 words BTW. ??
With WordPress 4.5 about to be released you also will be able to log into your installation with your email address as your user name.
I’ll let that set in for a minute.
See what I mean about not being able to prevent it? That’s my point, unless you can guarantee that someone will not find out your username then you have to assume that it’s out there.*
That’s why I maintain that strong passwords is where the security actually is. If there’s a concern beyond that then 2FA is an option.
That does not mean there’s a problem with obscuring your username. But if you install a plugin or theme that makes reference to it, then it will get out. Assume that it’s not secret. Your password is secret and there’s an expectation that it will be kept hidden and private.
Now back to my suggestion:
wp_create_user()
is hookable so when a user is created the nice name should be to be obscured at that time. This way new users would get author slugs that do not match there user IDs.I don’t have the code for that plugin but it may be an interesting exercise. I still think it’s not necessary but technically it should replicate the post above.
Or use a plugin. This was was updated 2 years ago but should still work.
https://www.ads-software.com/plugins/wp-author-slug/
That ought to hide the author slug too.
*NOTE: Yes, not using admin as a user name is still a good practice. Though if you had a password such as “PpqhMmGqPmXAQ79wZvZd” then even that would not matter.
Jan, while we’ll agree to disagree, I think we all understand the importance of a strong password. As for me, I’d still prefer WordPress not to reveal usernames .. and to take every precaution to ensure that 3rd party plugins / extensions adhere to this policy as well. Moreover, to DISALLOW installation / execution of such, should they fail to remain in compliance. A “responsible” framework, at the core.
With WordPress 4.5 about to be released you also will be able to log into your installation with your email address as your user name.
Whatever the key may be, username or email address, it’s only good until revealed publicly as a viable means of access.
I’d like to put your faith in “password-only security” to the test. Please reveal to us in your next reply the following info:
- Your full email address
- The URL to that mailbox’s webmail portal
Assuming you have a strong password, I trust that you’ll have nothing to fear.
It’s poor form to start up months old threads again. C’mon now.
So, closing this. With this information:
My username on my own blog is “otto”.
My email address is [email protected].
It’s on gmail.Best of luck to you.
- The topic ‘WP 4.3.1 still allows visibility of admin usernames’ is closed to new replies.