WordPress.org

Ready to get started?Download WordPress

Forums

WordPress Vulnerability? (13 posts)

  1. daveshu1234
    Member
    Posted 8 months ago #

    Hi,
    I had a problem with a site that was hacked and so I cleaned it all up, changed FTP, user names, etc, etc, etc - not had a problem since.

    When I changed my username I made it a jumble of letters and numbers (so impossible to guess) and I removed any "author" type tags so it doesn't say on the front of the site who wrote the posts, etc.

    However, I've now got someone trying to hack the site again, they've just been locked out by Wordfence, but the worrying thing is they had used my correct new user name - how on earth have they managed to find that?

    This surely is a vulnerability, with the correct user name they are half way there to hacking the site, it would be far better if you could somehow hide the user name so that it is impossible for anyone to discover it.

    thanks.

  2. I've deleted your newer duplicate topic. Your posts are caught in the spam filter. Be patient someone like me will come and clear the queue.

    This surely is a vulnerability

    Nope. 100% not a vulnerability.

    *Drinks more coffee*

    A vulnerability is when something could be exploited. Just having the user's ID known isn't a vulnerability. It is why you are encouraged to use strong passwords.

    Also give this a read if your concerned about brute force password guessing.

    http://codex.wordpress.org/Brute_Force_Attacks

    it would be far better if you could somehow hide the user name so that it is impossible for anyone to discover it.

    That doesn't really necessarily accomplish anything IMHO but give this a look.

    http://wordpress.org/plugins/search.php?q=hide+username

    One of those plugins may assist you in doing what you like. I'm not saying it's a bad idea I just don't think it will help you. ;)

    When I changed my username I made it a jumble of letters and numbers (so impossible to guess) and I removed any "author" type tags so it doesn't say on the front of the site who wrote the posts, etc.

    Assuming you've used good passwords then that's likely not why you were hacked again. It sounds like you did not properly delouse your installation.

    You need to start working your way through these resources:
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress
    http://sitecheck.sucuri.net/scanner/
    http://www.unmaskparasites.com/
    http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

  3. daveshu1234
    Member
    Posted 8 months ago #

    Hi,
    I haven't been hacked again, but I think my point still stands - Obviously having a strong password is critical, but since many people don't get how important this is, and still use weak passwords, then allowing all and sundry to obtain the login name is foolish.

    If the hacker can get the correct user name and you have a weak password then it makes their job easier and you're in trouble, if they can't get the username and you have a weak password then it makes their job harder.

    Since their is no valid reason to display the login name to anyone, it is only logical to NOT display them, otherwise those who do use poor passwords will have their sites hacked, and will consequently "badmouth" WordPress and possibly stop using it.

    It's all well and good saying "it's your fault, you should have used a better password", but when half the issue can easily be resolved without the unsavvy user having to do anything then it only makes sense to do it.

    It IS a vulnerability, or perhaps an Achilles heel if you prefer.

  4. daveshu1234
    Member
    Posted 8 months ago #

    Just to re-iterate what I'm suggesting - when people install WordPress they choose a public display name, which HAS to be different from the login name that they also choose, and the 2 are NOT tied together on the front of the site.

    So while a hacker can see the public name of the author of the posts, they have no clue what the user name to log into the site is.

  5. Obviously having a strong password is critical, but since many people don't get how important this is, and still use weak passwords, then allowing all and sundry to obtain the login name is foolish.

    We disagree. ;) But I think with those words (emphasis mine) you have identified the real vulnerability here.

    Note: the following is solely my opinion and does not represent the views of anyone else or any group that I may belong to. So there. ;)

    otherwise those who do use poor passwords will have their sites hacked, and will consequently "badmouth" WordPress and possibly stop using it.

    Not to be abrupt (honest) but I personally don't worry about people who are doing things Just Plain Wrong™ and what they say about WordPress.

    You can lead them to water but you can't make them drink. If users continue to use poor passwords then nothing that anyone does on the WordPress software side will make any difference at all for those users.

    Using any software on the Internet requires a level of responsibility and ownership. Off-loading that onto the software is not a solution for people not being responsible or making poor decisions.

    If you want to hide usernames on your WordPress installation then that is doable. But that really is a preference and exposing the usernames doesn't make a system insecure. Poor passwords do.

  6. esmi
    Forum Moderator
    Posted 8 months ago #

    Using any software on the Internet requires a level of responsibility and ownership. off-loading that onto the software is not a solution for people not being responsible or making poor decisions.

    I was going to chime in but this just about sums up everything I was going to say.

  7. daveshu1234
    Member
    Posted 5 months ago #

    I'm going to resurrect this topic because it is now causing major problems.

    First of all I'm shocked at the attitude of "it's your fault if you don't have a secure password", it is almost identical to the hackers attitude of "you didn't have good enough security so you deserved it."

    It's nonsense to not do everything to stop them, which includes NOT divulging actual user names.

    Anyway, onto the most important topic - if you are using security like Wordfence, BPS, limit logins, etc, then what happens when the hackers can see your user name is they try to log in, fail, and the user account gets locked out.

    Then you have clients ringing you up all day complaining that they're locked out, you unlock them, and 5 minutes later they're locked out again.

    So you have 2 options:

    1) Accept you're going to spend all day every day unlocking sites over and over again and pacifying seriously annoyed clients; or
    2) Turn off the security that locks out the hackers, giving them a free run at trying to get into the site.

    All could be avoided if they could not see the user name.

  8. First of all I'm shocked at the attitude of "it's your fault if you don't have a secure password", it is almost identical to the hackers attitude of "you didn't have good enough security so you deserved it."

    That's not the "attitude" that was expressed and I'm sorry you chose to take the comments posted here negatively. Reasonable people do disagree with each other and you've mis-categorized what was written.

    It's nonsense to not do everything to stop them, which includes NOT divulging actual user names.

    I'm going to paraphrase another person who I respect and admire greatly (and will read this later and laugh hopefully *Drinks more coffee*): do you worry about your neighbors seeing your house address?

    Your username is akin to your street address. Knowing your street address doesn't get you access to your home. It's your keys that let you get you access and that's why "exposing the usernames doesn't make a system insecure. Poor passwords do."

  9. daveshu1234
    Member
    Posted 5 months ago #

    I seem to remember it being said repeatedly over and over again "change your user name from admin to something else."

    Why? If what you are saying is correct, then why bother? It is said so that your user name is not guessable.

    However, if you have a "standard" 404 page then it lists authors, and when you hover over the author name it reveals the user name that you use to log in.

    Why change from admin to something else, if you're then going to reveal what you changed your user name to on the front of the site?

    The more layers of security the harder it is to get into the site, so there is nothing to be gained by revealing log in names, but a whole lot to be gained by not revealing them.

  10. daveshu1234
    Member
    Posted 5 months ago #

    Just to clarify, I'm talking about the log in name - so your public name might be "John" your login might be "urbrrbverbfhrvbervberbvkherb" - hover over "John" on the 404 page & "urbrrbverbfhrvbervberbvkherb" is revealed.

  11. esmi
    Forum Moderator
    Posted 5 months ago #

    To re-use Jan's analogy above, the postman also knows your address when he looks at your letters. Doesn't mean that he has the key to your house. If you wish to secure WordPress effectively, then I would recommend reviewing Hardening_WordPress.

  12. daveshu1234
    Member
    Posted 5 months ago #

    You're not really listening are you, just repeating the same tired old mantra over and over.

    A hacker is not like a postman, he's like a burglar. I don't want him to know where I live so he can come and steal my family silver, I want to hide my address from him.

    I don't want to go around shouting my address from the rooftops inviting every burglar in town to come and try his luck, I want to stay hidden.

    WordPress gives my address to any burglar who asks - imagine you've paid a builder to build your house incognito, and you then find out he's giving your name and address to anyone who asks.

    Wouldn't be happy would you?

    And what you're saying, apart from being wrong, doesn't answer the issue of continuously being locked out of your own site because you HAVE hardened it using appropriate tools.

    It needs fixing.

  13. esmi
    Forum Moderator
    Posted 5 months ago #

    You're not really listening are you, just repeating the same tired old mantra over and over.

    We are listening but we have had this conversation many, many, times before.

    Security by obscurity is no real security at all.

Reply

You must log in to post.

About this Topic