WordPress.org

Ready to get started?Download WordPress

Forums

Customizr
[resolved] Security Issue??? (8 posts)

  1. deputy05
    Member
    Posted 2 months ago #

    When looking at author archives on my site I notice the url lists the full username of the author at the end...I have the nickname selected in the user accounts for public viewing...shouldn't this include the url??

    I do not have any blog page or posts yet, still figuring/testing out how to set up multiple blog pages restricted by author. I have removed all of my test items to minimize the possibility of visitors stumbling across this issue.

    Any ideas why this is happening? Or, how to over-ride it?

    Thanks.

  2. deputy05
    Member
    Posted 2 months ago #

    Okay...found a solution that says I need to go into my host's database and use myphpadmin to edit wp-users nicename for my users...

    Is this the proper method? How much trouble can I get myself into?

    Why does wordpress default to the username and not the nickname for the nicename? Seems to me like a big security breach.

  3. acub
    Member
    Posted 2 months ago #

    It is a known WP "security breach". However, it only gives hackers the username, and protecting your site from brute force attacks is at hand. Actually, brute force attacks on user accounts rarely happen on WordPress. The are other easier ways to breach a WP website, such as jQuery redirecting iframe backdoors allowed by poorly written or malicious plugins.

    And yes, the quick-fix for this is to manually edit your user's user_nicename in the database. Be warned, you should change it to a sanitized string (A-Z,a-z,0-9,-,_). This is also why user_nicename is not directly editable. If it was, a lot of un-savvy WP users would break their author pages by inputting unsafe strings for use in that field.

    I will look further into this to see if I can create a function that uses the nicknames for author links and maybe also sanitize nicknames upon user profile save. I'll keep you posted about it.

  4. acub
    Member
    Posted 2 months ago #

    Well, the plugin/function I set out to write has already been written, quite neatly, I might add after looking a bit over its code. I highly recommend: Edit Author Slug Plugin.

    It allows you to change your author slug to sanitized versions of username, nickname, firstname, lastname or even a custom string that has nothing to do with any of the above. Also, you can change the $author_base rewrite from author to anything else.

    For example, my username is not acub on websiter.ro: http://websiter.ro/coder/acub/

  5. deputy05
    Member
    Posted 2 months ago #

    Begin Rant:
    The deeper I dug, the more baffled I have become...this issue has been out there for years...and a lot of posts just died off without a solution...since I have never dabbled in my database, I wanted a second opinion...this breach may not be the preferred method used by hackers, but it gives them half the solution to coming in the front door...I am not a coder/programmer, but this appears to be a seemingly simple fix...the nicename is being populated at some point, so just use something else (nickname, author id, random text, etc.), anything besides the username...
    :End Rant

    Thanks acub for your assistance, it is greatly appreciated. The plugin looks like it has some nice abilities, but I do not know if I really need it. Looking at my database, changing the nicename appears to be a fairly straightforward process...I understand the principle of sanitizing the string and if I keep the nicename simple it should prevent my screwing it up...so I will likely use this method.

    Thanks again @acub. It is members like you that make this forum and this theme a success.

  6. ..this issue has been out there for years...and a lot of posts just died off without a solution...

    It's not regarded as an issue because just having your username doesn't grant anyone access. It's always been about picking good passwords.

    You may not like this analogy but people knowing your street address doesn't grant them the keys to your house. ;)

  7. deputy05
    Member
    Posted 2 months ago #

    @Jan Dembowski: Using your analogy...giving them my street address, they do not need the keys, they just kick in the door or break a window...

    I guess we will just have to agree to disagree...

  8. It's fine to disagree. If you're really concerned about it try his article.

    http://codex.wordpress.org/Brute_Force_Attacks

    WordPress out of the box with a good password isn't a security issue. But with enough time and poor passwords then the Bad People™ can get into your installation.

    If you install one plugin (don't let the warning bother you it works fine) then consider this one.

    http://wordpress.org/plugins/limit-login-attempts/

    It'll reinforce your doors and windows. ;)

Reply

You must log in to post.

About this Theme

About this Topic