Account name security
I’m setting up a new blog, and to make things a little more secure I thought I’d make the user names less obvious. So I chose “matthew234” instead of just “matthew” or “admin”. I then set the nickname so that it appears as Matthew. All good. Except that the link to the author is myblog.com/author/matthew234/ so the user name is available easily, and thus more attackable.
Now, I realise that security by obscurity is not good, but it seems to me that it would be good to be able to hide these things better. If the author could be linked via nickname as myblog.com/author/matthew/ then all would be good.
This has been covered many times previously, In short, the security enhancement offered by the author username in a url is so tiny that it’s pretty much irrelevant. The real security of your login is in your password – not your username. That said, if this still bothers you, have a look at http://wordpress.org/plugins/hide-username-front-side/
For quite some time that I am aware of this problem, and so far never found anywhere an explanation for it being this way. The option to choose what nickname to use in the user profile does not prevent that usernames still can be seen.
Of all the discussions I found about this topic, which mostly are now closed, there isn’t any satisfactory explanation.
The only thing I have concluded is that there are some difficulty in understanding, explaining and find a adequate solution by many users who are aware of this issue. Which in my opinion is not a mere taste or style but a reduction of security and privacy.
I believe if I tell you, that in your website, although you hide the users, I can tell that you have two users, their usernames (one has 4 letters and the other has 3) and which one is the administrator, probably you do not stay very satisfied do you?
This question should not be undervalued, i’d like to find a better solution. Maybe a detailed official publication with some clarification with a roadmap? At least could be identified as a lack with a warning in the main documentation and the best options available.
Unfortunately I do not know a simple solution that I can suggest.
But I leave here this example with the Matt Website http://ma.tt/
You can find at
http://ma.tt/?author=1the admin probably is saxmatt as you are redirected to
I believe if I tell you, that in your website, although you hide the users, I can tell that you have two users,
I don’t hider users on any of my sites. The fact that you know the usernames doesn’t matter. The security lies in the strength of the PASSWORDS used for each account. Added to which, you might find even accessing the admin area rather tricky. 🙂
If you have something new to say in this subject, please post your own topic.
- The topic ‘Account name security’ is closed to new replies.