I am no HTML/JS expert, but WP is open source, so why not just post a patch instead of building plugins and/or scripts to abuse it..
https://wordpress.org/download/source/ [7] Am 2013-07-05 15:30, schrieb Dan Ballance: > I don't *now* know if they see it as a security feature, but when you do the > install you are asked to give the admin account a username. I always thought > this was a nice additional security feature to make brute-forcing the site > more challenging. It seems I was wrong! > > This is definitely in core BTW. I am slightly embarrassed to be admitting on > full disclosure that I run wordpress for a couple of quick personal blogs > (lol) - but I don't run any extensions and always keep up-to-date with the > latest release. The real trouble lies in the 3rd party extensions (as with > most applications). > > On 5 July 2013 13:34, adam <[email protected]> wrote: > That's a very valid point, Dan. I don't use WP personally, but the feature > you're talking about, is that a core feature? Or is it offered by some > [potentially 3rd party] addon? If it's core, and this is really how they're > responding, that's mind boggling. > > Why wouldn't they simply offer it as a feature in future versions, even if > they left it disabled? It's clearly doing harm by not being an option, and > would do what exactly for it to be an option? Waste 3 minutes of a > developer's time? > > On Fri, Jul 5, 2013 at 7:02 AM, Dan Ballance <[email protected]> wrote: > > It seems crazy to me that WordPress is sensible enough to allow you to change > the default admin username to something other than "admin" - but then so > simply exposes that information to anyone that fancies scanning. I ran wpscan > last night across a couple of my installs and sure enough - my renamed admin > accounts show straight up. What a waste of time! :-/ > > On 5 July 2013 10:16, Maksymilian <[email protected]> wrote: > > The corresponding trac entry for wordpress is closed as > "wontfix": > https://core.trac.wordpress.org/ticket/1129 [1] > > Why? > > some people consider this as a security vulnerability but not everybody. eg > drupal > > https://drupal.org/node/1004778 [2] > > In Drupal, is the same problem. Using ctools, you can get username finding > > (by [Username]) > > https://drupal.org/?q=ctools/autocomplete/node/1 [3] > > (by Amazon) > > PoC: > ?q=ctools/autocomplete/node/[ID] > > In my opinion, this should be fixed. This idea, may be very helpful to create > botnet based on brutal force CMS. > > Maksymilian Arciemowicz > http://cxsecurity.com/ [4] > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5] > Hosted and sponsored by Secunia - http://secunia.com/ [6] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5] Hosted and sponsored by Secunia - http://secunia.com/ [6] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html [5] Hosted and sponsored by Secunia - http://secunia.com/ [6] Links: ------ [1] https://core.trac.wordpress.org/ticket/1129 [2] https://drupal.org/node/1004778 [3] https://drupal.org/?q=ctools/autocomplete/node/1 [4] http://cxsecurity.com/ [5] http://lists.grok.org.uk/full-disclosure-charter.html [6] http://secunia.com/ [7] https://wordpress.org/download/source/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
