Support » Requests and Feedback » Login page serious information disclosure

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Yui

    (@fierevere)

    ゆい

    I have shared link to this topic on #core Slack channel
    ( https://make.wordpress.org/chat/ )

    But it will be much better if you can fill a ticket on Trac

    https://core.trac.wordpress.org/

    Moderator Marius L. J.

    (@clorith)

    Hi there,

    WordPress does not consider usernames as sensitive or private information. In fact, very few sites do these days, especially given how you can login using an email address (you hand out your email address countless times per day, which you use to login to services like social media with for example).

    By providing clear instructions to the user, we instead reduce login-friction for non-technical users, and enforce (unless explicitly dismissed) the use of strong passwords when adding users, or changing passwords.

    You can read more about this at https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-disclosures-of-usernames-or-user-ids-not-a-security-issue

    pedrotski

    (@pedrotski)

    Marius,

    While I appreciate the reply, you’re wrong.

    No information should ever be disclosed when trying to brute passwords. This is a major security risk.

    We have had to manually remove it from every site we have; but it should be this way by default.

    Not to mention, a person who doesn’t remember their password also doesn’t know how to correctly protect their site. The ‘login friction’ excuse is invalid.

    optimocha

    (@optimocha)

    I agree that this should change (and there are plugins for hiding error messages in the login forms) but I believe the correct way to suggest this change is through WordPress Trac.

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.