Having "admin" username on many WordPress site is not secured
During install the WordPress suggests to use "admin" username as a default administrator user. Most part of WordPress sites have this username. WordPress does not limit number of login attempts. So many WordPress sites are attacked by brute-forcing the password for "admin" user. For example, my site is attacked about 2-3 times each week.
It would be better if WordPress will limit number of login attempts or at least does not suggest "admin" username by default.
I don't remember if this was in the latest version or a few versions before, but I remember you could choose the username during installation (and a password of course).
However, this does not solve the other issue. The default/first user has an ID of 1 in the database. This opens the door for a lot of XSS attacks if a vulnerability occurs. It is always that you create a new admin user with a different username immediately after installation, login with it and delete the first admin. You are given the option to assign the current content (the Hello World post, the default page and the default comment) to the new admin, which I personally just choose to delete.
Limiting login attempts by default is not a good idea since a lot of users with non-technical knowledge may experience issues if they fail to login for a given amount of attempts.
It's been since 3.0 :)
The default ID is always going to be one, as changing it now would be problematic. Neither limiting logins nor captcha is really new-user friendly, which is why they're not in core.
Not suggesting ADMIN, however, is a great idea. I thought we did that!
No, it is still suggested in wp-admin/install.php :( I cannot believe that any of the developers would suggest that a friend new to WordPress use 'admin', but this remains what happens on every new site's setup page.
I could not find any thing about this in trax, so I have submitted one along with the diff file - it is an incredibly simple thing to do.
I disagree that limiting logins is unfriendly to new users. Even Yahoo! starts complaining if people fail to give the correct password for an account after a few tries.
As it is, WordPress suggests you pick an obvious username for the first administration account, has no password strength enforcement for it, and then lets attackers have as many attempts at hacking it as they like, as fast as the webserver will let them. Is that really thought to be a good idea?
Oh, "about 2-3 times a week"? I've been getting twelve attacks a minute recently, all going after 'admin'.
I know this because I have set up Limit Login Attempts.
@lovingboth Please submit a link to trac ticket for everybody could check it out.
Many people are complaining that WordPress is not secured, but still most part of the WordPress sites have 'admin' username with administrator credentials.
IMHO this is the biggest security problem and it should be fixed in the core and not with the plugins.
Done - it turns out to be a duplicate of the surprisingly recent http://core.trac.wordpress.org/ticket/24078 which I missed when looking to see if it had been suggested before.
I don't think this is the biggest problem - not integrating Limit Login Attempts into the core is!
However simply not having 'admin' as a user does defeat more than 90% of current attacks, albeit at a cost of processing the failed logins until the attacker runs out of passwords to try.
RSS feed for this topic
You must log in to post.