[resolved] Author Link Security Issue (5 posts)

  1. Toshi Yoshida
    Posted 2 years ago #

    WordPress allows a login username to have a nick-name and display-name.

    I've always thought that this was useful to hide the username that someone actually uses to log into the website.

    For example if an admin username is 'Fred' a nickname and display-name of 'Bob" can be setup. When Fred publishes a post the name Bob shows up as the author.

    That hides the website username Fred from the internet and therefore removes from hackers half the information they need to password attack your site.

    Unfortunately, many themes show the author name as a link. If you hover over the Bob author link you would unfortunately see the admin username Fred so the real website username is therefore available on the internet.

    I've used an admin role in the example above but it applies to all roles.

    I'm either missing something about how this works or this appears to be a security issue?

  2. Toshi Yoshida
    Posted 2 years ago #

    I've just looked at a site running WP 3.8.3 and the Suffusion theme and it works correctly - the nickname/display-name is shown when hovering over the author link on posts.

    It was using WP 3.9.1 and the Portfolio Plus theme where the author hover link shows the true login name not the nickname/display-name.

    Maybe it's theme dependent or WP 3.9.1 where the problem lies?

  3. I'm either missing something about how this works or this appears to be a security issue?

    This comes up a lot. It's not a security issue: your user ID was never the source of security. It's your password that grants you secure access and is why you need to ensure that your passwords are strong.

    Rather than repeat the same discussion again why not give this topic a read starting at this post?


    Those replies really explain it well. ;)

  4. Toshi Yoshida
    Posted 2 years ago #

    Thanks Jan.

    I guess I feel that having an unknown username and unknown password is more secure than just having an unknown password.

    I think I'll stick to themes that either don't link to or don't display the underlying login name.

  5. Try this plugin, it may accomplish what you want without messing with themes.


Topic Closed

This topic has been closed to new replies.

About this Topic