WP 4.3.1 still allows visibility of admin usernames

At the risk of sounding almost too casual about this; User security is ultimately defined by your password strength, not by a user name. There are numerous ways to reveal author names quite easily, and many references to the Author name in almost all WordPress themes. One thing you should absolutely not do though, is allow an account with “admin” in the user name. Especially if it’s the primary admin account.

Knowing someone’s user name is half of the battle for a hacker. If they don’t know it, how can they even attempt to crack it?

With all of the historical security flaws with WordPress,

You may be putting too fine a point on the issue. You can make the exact same statement about any other web based software.

There are only 2 values needed to gain access .. and WP is providing one of them pro bono

That might be an enormously short-sighted view when it comes to the method by which someone is capable of gaining unauthorized access, but I also understand how nerve-wracking it appears on the surface.

If you’re concerned about seeing username enumeration events in your access logs, block it at the .htaccess level, or you can use a plugin that does it for you. There’s a couple of excellent solutions for that.

If you want to disable the Author URL’s for peace of mind, Jan has already suggested a plugin solution for that as well.

Knowing someone’s user name is half of the battle for a hacker. If they don’t know it, how can they even attempt to crack it?

That’s pretty easy to think at first when reviewing your failed login attempts, or looking at scripted attempts in your server logs that search for weak username and password combinations, but those are pretty much just automated scripts running a routine of commonly weak credentials from a predetermined list. Not human beings in the sense that they sit at their consoles and keep typing different usernames and passwords until they get lucky – by the way; if they do guess it, it’s your fault, not the WordPress software.

Successful username and password exploits of the type you commonly see popping up in your access logs, are pretty much just low hanging fruit for automated scripts that search for security holes introduced by lazy site admins.

There’s some great information you may not have thought of in this article – Hardening WordPress – it’s a pretty good read.

I still feel it’s best not to blatantly ignore the fact that this intrinsic feature of WordPress continues to warrant discussion.

Let’s try to put this to bed, at least in this thread once and for all.

Hi I think I class as a reputable security guy!

Well maybe less so on reputable part, but really when it comes to security reputable is not the word you are perhaps looking for when assessing expertise.

I think we have a few conceptual problems in this thread and some quite dodgy use of the english language.

Smart corporations choose to hide the username, when one’s workstation is locked, forcing the authorized personnel to provide their full credentials each time. Clearly, there is a consensus on the topic of not revealing any portion.

I suggest you take a closer look at the word consensus 😀 I think you might not understand it’s meaning. Also I have had the fortune of working with some very smart companies & NGOs some of which are in highly sensitive industries, with the prevalent use of swipe cards and network based access in enterprise this statement really is a null point. Also you would struggle to find a modern OS not supporting fast user switching. It sounds like the smart companies you are referring to probably need to go and have a chat to the IT department, if the response is this is for security then they need to chat to their security or information governance team.

However within the “reputable” security world their is consensus that a username is a means to identify a user. Identity by it’s very nature is not security, in fact the last thing we want is to hide an identity as then we have no mechanism to confirm trust.

To take some real world examples, in your world:

Users are in something skin to witness protection, we are hiding our users from the evil baddies, the system is still trying to track them but we hide or conceal true identities from outsiders.

The problem witness protection doesn’t work, it relies almost entirely on anonymous to keep us safe and when that fails. For example a corrupt official (bug in software) we are dead. It also means we have limited contact with the outside world and system. To keep our anonymity we also have to keep our interaction to minimum.

Instead modern computing systems, use a multi-tiered approach of identification, authentication and authorisation. Users within the system are known entities for example employees at bank, we don’t hide them however, before you can enter restricted areas your identity is verified. In the real world that probably means standing there in person, with someone comparing you to your likeness and at least one other challenge a passcode for example.

You are your identity and you are very much public being human and walking into buildings and all. Online that is your username.

A username is a human readable identifier to the system, other users and indeed anyone or thing interacting with our system. It is designed to be recognisable to the individual and to the other users and external entities. It in itself is a actually simply a pointer to the user object ID which in WordPress case is a simple integer.

WordPress like any other system works using access controls, through this it authenticates and authorises a given entity. How does it work, when an entity identifies itself, by giving a username be it that entities or someone pretending to be that entity. WordPress challenges it to produce a secret in this case it’s a password.

So our entity is giving us one piece of Public Knowledge – username and a way to authenticate through the response to the challenge the password. An authenticated entity can then perform authorised operations based on the entities existing capabilities.

Assuming everything has gone according to plan and we have trust in the authentication. We can then use the fact that the username is public. Once authenticated your username is the public face of your identified presence. We can now trust who you are.

If we make usernames secret knowledge we then won’t have a way to identify and verifying user names, without introducing a level of complication and in doing so potentially gaping hole in our security.

If you are at all concerned then a few things to keep in mind.

Always have a strong password, if you are not able to do this yourself use a password manager.
If you are thinking, a single tier of security is not enough and I agree with you, then consider introducing a second factor authentication.

This means, we basically challenge an entity twice, once with a secret i.e password and once that they have access to information. Be it a passcode we send to a location (email, phone) or physical device (Ubikey) or a jointly agreed changing cypher (Google Authenticator)

By introducing 2 factor authentication we have provided another level of security while keeping with the tenants of good security practices of identification, authentication and authorisation.

Hopefully this has helped if you are worried, I strongly recommend doing some background reading, I can’t think of anyone within reputable security recommending obfuscation as a valid technique. Though sadly it’s still a very common misconception as you have demonstrated and it’s understandable why on the face of it.

@iframe
Using a password manager to create strong unique passwords plus a security plugin that locks out brute force passwords and enters into a 2-factor mode when a brute force attack is detected means that while I may well be one of those millions of gullible people who are being brainwashed on a daily basis, no one is going to break into my sites by brute forcing my passwords 😉

Hi iframe

I agree that many take a lax approach to security, and only pay attention when dodgy links appear on their sites. That’s why discussions such as these in public forums are of real value.

I use the ninja firewall which asserts itself as being one of the most robust in the repository at repelling DDoS attacks (link), and logs all brute forcing attempts for user review. It also includes protection for xmlrpc.php (although I don’t use this feature so block it through my .htaccess), and other useful features (I’m not affiliated in any way apart from being a satisfied user). The 6G firewall also works well with the plugin, and the hardening WordPress codex has proved invaluable in its advice on toughening installations.

Finally, I still think I’m one of those millions of gullible people as there is still much to learn, and plenty more that I think I know but probably could do better 🙂

1) Under Blog & Portfolio Menu > Meta Information ( /wp-admin/admin.php?page=of-blog-and-portfolio-menu ), I disabled inclusion of “Author”.

2) On the NEWS page itself, under “Show advances settings”, I disabled “Show post author”.

These are probably settings with your theme, rather then WordPress, if it’s a theme from w.org please do let me know so I can pass on to the Theme Review Team to go chat to them.

2) Installed plugin “Google Authenticator”

That is probably the only sensible thing you have done, for anyone following this thread, installing a 2FA of any sort is a good idea.

I am contemplating making an additional albeit experimental change, by directly (myPhpAdmin) editing the “user_nicename” database column’s value in WP_USERS table, for the Admin user. Presently, its value is the SAME as the username and I plan to change it to the same value as the account’s Nickname

You could HACK core Or you could change it by changing the display name in the users profile.