WordPress login insecure

  • backslider

    (@backslider)


    16 years, 2 months ago

    I just tried to log into my client’s WordPress, however the password was wrong. All well and good, the login failed as expected, however the system gave the following message:

    ERROR: Incorrect password

    If I give it an incorrect username, again your system politely tells me:

    ERROR: Invalid username.

    So, now I know why my client tells me the system is being constantly being broken into!

    Do you guys developing WordPress NOT KNOW that you should NEVER indicate the exact reason for login failure?? The error should only say something like: “ERROR: Login failed, please check your username and password.

    With the way you have it, a hacker can sit there guessing usernames until your system politely tells them they have a correct username and from there continue until they have the pass.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter backslider

    (@backslider)

    16 years, 2 months ago

    I see this was brought up on TRAC within the last two months:

    http://core.trac.ww.wp.xz.cn/ticket/12129

    Idiot (no offense) Ryan tells us “This is by design. There is a balance to be made between security and user friendliness.”

    This is an idiotic response. Yes, there is a balance, this is known as a “retrieve username/pass link” if really needed on the login page, not a system that gives hackers an easy way to crack into the system.

    “User friendliness” should FIRST be toward people running your system, not people who cannot manage to login correctly.

    techooze

    (@techooze)

    16 years, 2 months ago

    It’s really insecure. Becomes easy to a little extent for someone to break in

    Vladimir Garagulya

    (@shinephp)

    16 years, 2 months ago

    I’m fully agree with you. It is unsecure. But why not to use some plugin from the ‘Login security’ field? E.g. http://devel.kostdoktorn.se/limit-login-attempts ?
    It resolves this issue without changing a row of core WordPress code.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘WordPress login insecure’ is closed to new replies.