Support » Requests and Feedback » Login page serious information disclosure

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Yui

    (@fierevere)

    ゆい

    I have shared link to this topic on #core Slack channel
    ( https://make.wordpress.org/chat/ )

    But it will be much better if you can fill a ticket on Trac

    https://core.trac.wordpress.org/

    Moderator Marius L. J.

    (@clorith)

    Hi there,

    WordPress does not consider usernames as sensitive or private information. In fact, very few sites do these days, especially given how you can login using an email address (you hand out your email address countless times per day, which you use to login to services like social media with for example).

    By providing clear instructions to the user, we instead reduce login-friction for non-technical users, and enforce (unless explicitly dismissed) the use of strong passwords when adding users, or changing passwords.

    You can read more about this at https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue

    Marius,

    While I appreciate the reply, you’re wrong.

    No information should ever be disclosed when trying to brute passwords. This is a major security risk.

    We have had to manually remove it from every site we have; but it should be this way by default.

    Not to mention, a person who doesn’t remember their password also doesn’t know how to correctly protect their site. The ‘login friction’ excuse is invalid.

    The “Membership – Anyone can register” option on the general settings page is enabled. This means users can register via the standard WordPress wp-login.php page. If you do not want users to be able to register via this page and only register via the Ultimate Member registration form, you should deactivate this option. You can dismiss this notice if you wish to keep the wp-login.php registration page open

    ERROR : The “Membership – Anyone can register” option on the general settings page is enabled. This means users can register via the standard WordPress wp-login.php page. If you do not want users to be able to register via this page and only register via the Ultimate Member registration form, you should deactivate this option. You can dismiss this notice if you wish to keep the wp-login.php registration page open.
    Plz Help

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.