Wordfence has been alerting me (a lot) as my site seems to be under bot attack from the password reset of users.
Have you considered asking Wordfence about it?
WordPress could do more to block these password resets programmatically.
So can we get this addressed by the security team please as it’s quite an important issue which I feel is unresolved at this point.
It’s not an important issue as much as failed password resets is background noise. And there is nothing at all for the security team to do to the core WordPress. The attempts don’t matter unless they are successful.
I’ll try and explain.
WordPress by default is fairly basic and that’s not an accident. Not everyone has the same set of requirements so the default username and password security work well.
The username being exposed to request the password reset is one end point that could be addressed. I see no settings to block this. It just feels too easy an exploit IMO.
Usernames are not hidden and never will be. It’s an amazingly old conversation because the security is never in a username. That’s also by design and also not limited to WordPress.
Usernames are often something like jdembowski and/or my email address. Which I won’t post here; I get more than enough spam as it is. Whenever asked, users do hand out their email address all the time. There’s really no security benefit to attempting to hide a username or ID.
It’s the password that matters. WordPress supports up to a 4096 characters for passwords, which is fine if you use a password manager. I recommend 1Password but there are many others and some of them are opensource.
For the scenarios where WordPress admins feel a password is not sufficient, then the recommended to install two factor or even multifactor authentication. I use and recommend this one.
https://wordpress.org/plugins/two-factor/
Again, there are others. I personally know some of the people who worked on that one and it is very opensource.
*Re-reads, looks for grammatical errors and misses many I am sure while having coffee*
Two or multi-factor is not built into WordPress by default because it does require understanding and planning. For the majority of WordPress users that’s too much for them. Just implementing that without understanding has resulted in people getting locked out of their own WordPress installations. That’s why it remains an optional thing.
Security is not easy but it you are concerned about it, and that is always a good thing, then seek extending security with add-ons in WordPress. They work and have for a long time.
-
This reply was modified 4 months, 3 weeks ago by Jan Dembowski. Reason: Yep, found one grammar mistake