Skip to:

Username exposure

  • WayneM1


    With the most recent botnet attack on WordPress powered websites, I’m (once again) reviewing the measures I take to secure my WP installations.

    Most WP admins understand the importance of not using the default “admin” username when setting up a site. Many WP admins do not realize that simply using a different main admin username is not enough. That username should be “obscure” (not easily guessed) and it certainly should not be the same as the publicly displayed “nickname” that is associated with the user account. Those need to be different – this helps to prevent bots and bad people from getting the first part of your login credentials = your username.

    While I been taking action to ensure this is the case on the WP sites I manage, I’ve noticed a problem with the way that bbpress displays username information. Even if a user has a “nickname” that is different from the actual username – when you hover over a link to the user’s profile the URL will show the actual username (the one you are trying to hide through obscurity).

    There is an older thread on the WP forums that seems to suggest that this is not a WP core issue, but rather a plugin/theme coding issue. I don’t know if that is correct, or not. But, it is an issue in any case and needs to be addressed.

  • You must be logged in to reply to this topic.
Skip to toolbar