Tim Nash

If you are looking for someone to do the work please try http://jobs.wordpress.net/ or http://directory.codepoet.com/ and do not accept any hire offers posted to these forums.

Otherwise you might want to explain what the current issue is.

Apache License is compatible with GPL http://www.apache.org/licenses/GPL-compatibility.html

Just a general warning, never ever ask for or send login credentials to any persons on this forums. While most people are simply trying to help, that is not always the case.

Handing over logins you are not only risking the safety of your site but you are also putting the person login into a position of massive liability.

As a plugin developer, the plugin is supplied without warranty, if it breaks oh well. However the second you login into a clients site, you have become responsible for that sites well being, and not just for the period of time you are logged in, but now any issues could potentially be blamed on you.

Please never ask for a users login details again 🙂

I still feel it’s best not to blatantly ignore the fact that this intrinsic feature of WordPress continues to warrant discussion.

Let’s try to put this to bed, at least in this thread once and for all.

Hi I think I class as a reputable security guy!

Well maybe less so on reputable part, but really when it comes to security reputable is not the word you are perhaps looking for when assessing expertise.

I think we have a few conceptual problems in this thread and some quite dodgy use of the english language.

Smart corporations choose to hide the username, when one’s workstation is locked, forcing the authorized personnel to provide their full credentials each time. Clearly, there is a consensus on the topic of not revealing any portion.

I suggest you take a closer look at the word consensus 😀 I think you might not understand it’s meaning. Also I have had the fortune of working with some very smart companies & NGOs some of which are in highly sensitive industries, with the prevalent use of swipe cards and network based access in enterprise this statement really is a null point. Also you would struggle to find a modern OS not supporting fast user switching. It sounds like the smart companies you are referring to probably need to go and have a chat to the IT department, if the response is this is for security then they need to chat to their security or information governance team.

However within the “reputable” security world their is consensus that a username is a means to identify a user. Identity by it’s very nature is not security, in fact the last thing we want is to hide an identity as then we have no mechanism to confirm trust.

To take some real world examples, in your world:

Users are in something skin to witness protection, we are hiding our users from the evil baddies, the system is still trying to track them but we hide or conceal true identities from outsiders.

The problem witness protection doesn’t work, it relies almost entirely on anonymous to keep us safe and when that fails. For example a corrupt official (bug in software) we are dead. It also means we have limited contact with the outside world and system. To keep our anonymity we also have to keep our interaction to minimum.

Instead modern computing systems, use a multi-tiered approach of identification, authentication and authorisation. Users within the system are known entities for example employees at bank, we don’t hide them however, before you can enter restricted areas your identity is verified. In the real world that probably means standing there in person, with someone comparing you to your likeness and at least one other challenge a passcode for example.

You are your identity and you are very much public being human and walking into buildings and all. Online that is your username.

A username is a human readable identifier to the system, other users and indeed anyone or thing interacting with our system. It is designed to be recognisable to the individual and to the other users and external entities. It in itself is a actually simply a pointer to the user object ID which in WordPress case is a simple integer.

WordPress like any other system works using access controls, through this it authenticates and authorises a given entity. How does it work, when an entity identifies itself, by giving a username be it that entities or someone pretending to be that entity. WordPress challenges it to produce a secret in this case it’s a password.

So our entity is giving us one piece of Public Knowledge – username and a way to authenticate through the response to the challenge the password. An authenticated entity can then perform authorised operations based on the entities existing capabilities.

Assuming everything has gone according to plan and we have trust in the authentication. We can then use the fact that the username is public. Once authenticated your username is the public face of your identified presence. We can now trust who you are.

If we make usernames secret knowledge we then won’t have a way to identify and verifying user names, without introducing a level of complication and in doing so potentially gaping hole in our security.

If you are at all concerned then a few things to keep in mind.

Always have a strong password, if you are not able to do this yourself use a password manager.
If you are thinking, a single tier of security is not enough and I agree with you, then consider introducing a second factor authentication.

This means, we basically challenge an entity twice, once with a secret i.e password and once that they have access to information. Be it a passcode we send to a location (email, phone) or physical device (Ubikey) or a jointly agreed changing cypher (Google Authenticator)

By introducing 2 factor authentication we have provided another level of security while keeping with the tenants of good security practices of identification, authentication and authorisation.

Hopefully this has helped if you are worried, I strongly recommend doing some background reading, I can’t think of anyone within reputable security recommending obfuscation as a valid technique. Though sadly it’s still a very common misconception as you have demonstrated and it’s understandable why on the face of it.

As per the welcome message we don’t delete topics except in special circumstances, looking at the topics on w.org forums there doesn’t appear to be any reason to delete them.

You need to start working your way through these resources:

• https://codex.wordpress.org/FAQ_My_site_was_hacked
• https://wordpress.org/support/topic/268083#post-1065779
• http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• http://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• http://sitecheck.sucuri.net/scanner/
• http://www.unmaskparasites.com/
• http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

From time to time, users posts get caught in our moderation system, and a moderator needs to approve them. It would appear your posts have hit that system. Don’t worry normally get’s sorted quickly and in the mean time it will take a few minutes for your comment to appear.

Hi Laura,
Take a deep breath and relax, your original post was in the moderation queue, it happens from time to time. Unfortunately the more you posted the more the automated systems thought you were up to no good. All fixed now.