Increase Security Starting With Username Change

  • Ben

    (@sammysimms)


    10 years, 12 months ago

    First of all let me apologize if this has already been discussed and I haven’t come across it yet.

    I would like for the core team to take into consideration a change in the way usernames operate on the self hosted WordPress framework. With WordPress getting more and more popular I’m starting to concern myself more with securing my site and making sure that only permitted people are allowed access and non-permitted people stay out. However, I have noticed that there is one vulnerability that seems to always be present and that is the display of the username in posts. I completely understand the process of the username and why it works the way it does. However, I think it is time to change this and make WordPress a truly more secure framework.

    My idea is to have the username be used only for access into the WordPress program and not continue into authorship functions. Currently when I’m writing a blog post, you can see my username that I use to access the WordPress site within the post (usually under the title and/or photo). Instead of having the ‘by’ or ‘from’ feature display my username ‘bigbob’, I would like it to say ‘Ben B’.

    I have sometimes found ways around this like two plugins within the repo (http://wordpress.org/extend/plugins/user-name-security/) & (http://wordpress.org/extend/plugins/admin-username-changer/) but these aren’t perfect and they don’t always work because it isn’t part of the core coding of WordPress.

    My idea would be to have another required field during sign-up and it could be called Author. This would allow me to have a username of ‘bigbob’ to gain access to the WordPress site but when I publish posts or when users are looking up past posts from different authors on the archive page, they can find my name ‘Ben B.’ and not my username of ‘bigbob’.

    If I had the technical skills to do this I would but I just starting to learn some of the coding basics and perhaps I too can help out code-wise in the future.

    Would love to hear what others think about this concept. Thanks for your time.

Viewing 4 replies - 1 through 4 (of 4 total)
  • esmi

    (@esmi)

    10 years, 12 months ago

    First of all let me apologize if this has already been discussed and I haven’t come across it yet.

    Oh – this has been discussed many, many, times. 🙂

    The answer always boils down to “security by obscurity is no security at all”. The real security is in the strength of password – not in hiding the username.

    Thread Starter Ben

    (@sammysimms)

    10 years, 12 months ago

    The answer always boils down to “security by obscurity is no security at all”. The real security is in the strength of password – not in hiding the username.

    I can definitely understand that position (laziness doesn’t increase security), but it feels like we are still giving hackers half of the keys to the vault.

    I personally have LastPass setup for my websites so my password is so confusing I don’t even know it off-hand. But if hackers had to guess the correct username and password it would become a lot harder for them to gain entry than if they already had the username and just needed to peck away at the password until they hit it just right.

    Also, WordPress.com just added two-factor authentication for added protection and security but would it be needed if the username was not public? I know that many people still use ‘admin’ as a username (which was the focus of the massive WordPress attack a couple weeks ago). What about CAPTCHA?

    Chris Olbekson

    (@c3mdigital)

    10 years, 12 months ago

    What about CAPTCHA?

    Captcha can be broken and they are a pain for real users.

    Also, WordPress.com just added two-factor authentication for added protection and security but would it be needed if the username was not public?

    As esmi mentioned above there is really no security advantage to obscuring the username. Do you use an email service like gmail? If so then your Google username is not hidden either. Again password strength is the key to securing your admin. Two-factor authentication is also a way to secure it even more and there are plugins for that.

    ReneODeay

    (@reneodeay)

    10 years, 11 months ago

    Sammy, you can already change the name that is seen on your posts in your user profile. just use the nickname (It is ‘required’)

    Instead of having the ‘by’ or ‘from’ feature display my username ‘bigbob’, I would like it to say ‘Ben B’.

    You do not need a plugin to do that.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Increase Security Starting With Username Change’ is closed to new replies.