Hi everyone. Today I've tested some wordpress websites and found that there is a potentially dangerous mistake in users login system prior to version 3.1.
Most of developers who install wordpress in their server, leave the default admin username called
admin which is not so difficult to guess. And if you try to login using username
admin with wrong password you get the system message "ERROR: The password you entered for the username admin is incorrect. Lost your password?". While trying to login using username
administrator or any other wrong username with wrong password you get the system message "ERROR: Invalid username. Lost your password?".
So, this is a potentially dangerous mistake in login system which allows an attacker to guess the username and that means 50% of the hacking attempt is done and the only thing he needs to do is to guess the password.
[signature moderated as per forum rules]