WordPress user security issue

Wordpress Logo

If you’re a hacker then WordPress is one of the most common CMS and blog platforms on the planet.  As I write this reminder I’m using WordPress 3.9.

To get access to a WordPress admin area you need two things, a username and password.  And without taking precautions WordPress makes it fairly easy for a hacker to get your username.

On many WordPress websites you will see a blog post with the name of the author attached, rather like this one.  If you hover over the “by Dave Walker” section you’ll see the link to where WordPress wants to take you to the author page.  Unfortunately by default when named permalinks are in place (and they should be for SEO purposes)  the author page name is the actual user name!!

This is governed by the database field wp_users.user_nicename which is not updateable via the dashboard.

It makes sense to ensure that all user_nicename entries do not match the actual usernames.

Dave Walker
Dave Walker is a middle aged programmer living in North Yorkshire, who loves music and used to enjoy constantly restarting fitness regimes with a bit of football, cycling, swimming & jogging. Now I just eat biscuits.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.