Support » Requests and Feedback » Safety improvements

  • Resolved wpsecs

    (@wpsecs)



    Today when users are created you have username, name and e-mail to fill in. You can also choose role. WordPress would have much better security if you could choose a different login-name than username that is shown when creating posts. Today I see hackers trying to guess passwords to every username shown on the page but if login-names would be hidden then they would not get even there to try and guess passwords.

    With hope of improvement
    [ Signature deleted ]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Support Volunteer

    The name shown when creating posts is configurable. There’s a “display name publicly” dropdown on the user profile page. That said, knowing what my userID is is not terribly useful if I use a decent password.

    Good point with the option on display name.
    Regarding how useful username is if you have a decent password I will always state that it is harder to gain access if you try passwords with wrong username than if you know it.

    [ Signature deleted ]

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    I will always state that it is harder to gain access if you try passwords with wrong username than if you know it.

    User names, like emails, cannot be assumed to be “secret”. They never were and really never are so don’t rely on that for any security.

    People are taught to keep their passwords secure. If you are relying on your user ID as part of that then you’re making a mistake.

    @jdembowski I have to strongly disagree with you. The less the one trying to gain access through brute force know(Password, Username, email etc.) the less the chance of success.

    Moderator Jan Dembowski

    (@jdembowski)

    Brute Squad and Volunteer Moderator

    Don’t @ users like that. If I wanted an email from here I would have subscribed to this topic. I didn’t.

    I have to strongly disagree with you. The less the one trying to gain access through brute force know(Password, Username, email etc.) the less the chance of success.

    You may be in for a surprise. In WordPress your email can be used as well as your username. Do you give that out when asked?

    User names, like email addresses cannot be assumed to be secret. You can try but as a strategy it’s flawed. It’s a component that you cannot necessarily control.

    If you wish to rely on that then that’s your choice. As long as you have strong passwords then your user ID just does not matter in any security context.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Support Volunteer

    And if you worry about brute forcing, the are about a half-zillion plugins you can use to manage that. I use WordFence.

    Don’t @ users like that. If I wanted an email from here I would have subscribed to this topic. I didn’t.

    I have to strongly disagree with you. The less the one trying to gain access through brute force know(Password, Username, email etc.) the less the chance of success.

    You may be in for a surprise. In WordPress your email can be used as well as your username. Do you give that out when asked?

    User names, like email addresses cannot be assumed to be secret. You can try but as a strategy it’s flawed. It’s a component that you cannot necessarily control.

    If you wish to rely on that then that’s your choice. As long as you have strong passwords then your user ID just does not matter in any security context.

    If you say so I suppose it have to be so.

    And if you worry about brute forcing, the are about a half-zillion plugins you can use to manage that. I use WordFence.

    I agree.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.