Authentication Information Disclosure in 2.1.2 (2 posts)

  1. gverdian
    Posted 9 years ago #

    Hi WordPress team,

    Found a disclosure during authentication to a blog for version 2.1.2.

    When a person logs in with the wrong username into /wp-admin, the error message states "ERROR: Incorrect username".

    The problem is that WordPress is disclosing that that username doesn't exist, therefore providing more information to someone who wants to bruteforce username/password combinations. Once they've guessed a correct username (other than the default admin), they only have 1 field to bruteforce reducing the time needed.

    Not too big a deal, but the solution should say "ERROR: Incorrect username/password" to not disclose which one was incorrect.

  2. drmike
    Posted 9 years ago #

    It's come up before. IIRC (and it's been awhile) the resolution was to make it more user friendly and leave it as such.

    Best bet would be to submit it to trac:


Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.