I don't *now* know if they see it as a security feature, but when you do the install you are asked to give the admin account a username. I always thought this was a nice additional security feature to make brute-forcing the site more challenging. It seems I was wrong!
This is definitely in core BTW. I am slightly embarrassed to be admitting on full disclosure that I run wordpress for a couple of quick personal blogs (lol) - but I don't run any extensions and always keep up-to-date with the latest release. The real trouble lies in the 3rd party extensions (as with most applications). On 5 July 2013 13:34, adam <[email protected]> wrote: > That's a very valid point, Dan. I don't use WP personally, but the feature > you're talking about, is that a core feature? Or is it offered by some > [potentially 3rd party] addon? If it's core, and this is really how they're > responding, that's mind boggling. > > Why wouldn't they simply offer it as a feature in future versions, even if > they left it disabled? It's clearly doing harm by not being an option, and > would do what exactly for it to be an option? Waste 3 minutes of a > developer's time? > > > On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <[email protected]>wrote: > >> It seems crazy to me that WordPress is sensible enough to allow you to >> change the default admin username to something other than "admin" - but >> then so simply exposes that information to anyone that fancies scanning. I >> ran wpscan last night across a couple of my installs and sure enough - my >> renamed admin accounts show straight up. What a waste of time! :-/ >> >> >> On 5 July 2013 10:16, Maksymilian <[email protected]> wrote: >> >>> >>>> The corresponding trac entry for wordpress is closed as >>>> "wontfix": >>>> https://core.trac.wordpress.org/ticket/1129 >>>> >>>> Why? >>>> >>>> >>> some people consider this as a security vulnerability but not everybody. >>> eg drupal >>> >>> https://drupal.org/node/1004778 >>> >>> In Drupal, is the same problem. Using ctools, you can get username >>> finding >>> >>> (by [Username]) >>> >>> https://drupal.org/?q=ctools/autocomplete/node/1 >>> >>> (by Amazon) >>> >>> PoC: >>> ?q=ctools/autocomplete/node/[ID] >>> >>> In my opinion, this should be fixed. This idea, may be very helpful to >>> create botnet based on brutal force CMS. >>> >>> >>> Maksymilian Arciemowicz >>> http://cxsecurity.com/ >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
