Support » Plugin: Cerber Security & Antispam » ‘posted by ‘ helps attackers to guess valid login

  • Resolved b-smark

    (@b-smark)


    Hi

    would be nice +feat to have an option that removes any (valid) username/login reference from posts/pages, seems the removal of ‘posted by’ infos is still a general ‘wanted’ without solution (the custom CSS trick is not a way really)

    thx

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Gioni

    (@gioni)

    Hi!

    You can get it either by disabling it in the settings of your theme or by creating a child theme with appropriate changes in PHP files. The plugin will never have such feature.

    b-smark

    (@b-smark)

    Ok, thank you for the answer.
    I’ve checked a few themes, not all have such option, so that’s another criteria for choosing a theme

    Plugin Author Gioni

    (@gioni)

    Actually, I can implement blocking access to /author/ pages, but even with this feature enabled you still need to use a theme without displaying those links to /author/ pages. Otherwise, people and search engines will see the 404 error if they click/follow those links. That is not right.

    b-smark

    (@b-smark)

    yeah, problem is that a site should have never blogged with posted-by exposed, let alone by admin users, but themes opt for that is way too drastic, usually all/none meta while one would like just the author name not exposed.
    A solution could be to map login-name -> hash, users would have to use that hash to login, valid login-names would be those hashes then, instead of the public author name/nick
    I guess custom login url plus the other opts reg wp-login.php and wp-admin is the way to address the issue, at the moment. The hash login would be kinda per-user custom login URL.

    Plugin Author Gioni

    (@gioni)

    Actually, we can encode (with a hash) a username in author URLs, but sadly, there is another and bigger problem. Nice guys behind WP use usernames (logins) and user IDs everywhere in HTML code. For instance, look at the body tag on any author page. It contains the CSS class with – guess what – the username and the user ID. Cheers! Moreover, many theme developers do the same things and stylize pages by using usernames and user IDs. Class names, element IDs, img alts. All pages literally packed with user details. 🙂

    After that many users ask me “how do hackers and bots find out my personal login that is known only to me”. Who knows buddy, who knows…

    It looks incredible, but any freshly installed WordPress powered site can be hacked in no time in a fully automatic mode. A bot takes username from an author page link of a first post which created automatically with admin username, uses it to find a password via a simple brute-force attack (modern networks allow to do that in a few minutes) and then install some malicious code or an infected plugin on the website. Cheers! Owner of the website doesn’t even know what happened. To be exact that hapless owner has no chances at all!

    So we have to install any reliable security plugin immediately after installing WordPress

    b-smark

    (@b-smark)

    yep. But I was thinking something like (dunno WP internals etc so dunno if it’s feasible): new table id/login,hash or augment users table like :

    user_login
    user_username <- new field
    user_nicename
    display_name

    seems that the mechanism is, username -> user_login, lowercase(username) -> user_nicename, any/combo of {username, first, last} -> display_name. Theme seems supposed to use display_name.
    Now, if a plugin does: user_login -> user_username, somehash(username,timestamp)-> user_login and then user is displayed such its hash to use as new login, all should still work fine and usernames even collected before the hashing from the pages wouldn’t be useful (anymore) because the valid login now are the secret hashes (of course assuming login is always within an encrypted/protected channel).
    The only issue seems that users can choose their user_login (hence the hash) as display_name too, eluding the trick, so either a plugin can restrict such choice or site user policy must be strict and enforced.

    Plugin Author Gioni

    (@gioni)

    I think it’s too complex mechanism. At least for ordinary website owners and ordinary websites. I think hashing usernames in author URLs will be enough for protecting usernames. After enabling this feature you need just pick a theme that doesn’t use usernames in the generated HTML code or disable that via theme settings.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘‘posted by ‘ helps attackers to guess valid login’ is closed to new replies.