How to protect usernames
The author archive page URL betrays half of the information you need to access the WordPress backend ~ if I hover over an avatar, I can see the login names from all my users are publicly visible.
To avoid this risk I would prefer that they weren’t but alternatively I am trying to use the “User Slug Hider” plugin which changes all author page URLs from e.g. www.example.com/author/admin to a 16 digits coded strings like www.example.com/author/e9e716def73f76ac. The codes are generated automatically and its impossible to make conclusions about the user names. The WordPress default URLs will cause a 404 (not found) error.
1) are you using a non-standard system call to create those links in AskBug?
2) if so, could you switch to the standard system call?
3) if not, could you give me some other way to hide the usernames?
Terence.
This is why we have passwords.
Login is “public” part, password is “private” part. You should at all times feel confident disclosing logins. If you are afraid of bruteforce attack or similar, use “limit login attempts” plugin or others.
If you think passwords are not good enough, if you don’t trust your users will treat them right – use 3rd party authentification systems, AnsPress supports “WordPress Social Login” and it works great. Usually, Facebook security is not worse than what you can offer.
If login is half of protection you have, I say you are doing it wrong.
Yes, I honestly think “the simpler, the better”. And username=url slug=login=mentions handle looks simple enough to me.
Here, [email protected], an email managed by gmail. This is my login. The most important login I have on the internet, you could for example access my account on this QA site by accessing my email. Have my security just dropped by half? This is the common practice to share an email.
@Terence I think so, most of site uses username in public and its better then real name because its unique name. Even WP show username to public, in author post page.. so hiding username will not make a big difference even though if you mange to hide it it may breaks many things. But I am not saying its impossible, this can be achieved very easily in AnsPress (I will write a topic in my free time if you need it)
@Rahul I realise “leaking” of the username is not deemed a security issue by WordPress.org, as it’s a conscious decision to use the username as the slug in the URL, but I am just not happy with their explanation, that’s all.
Neither, I think its a security issue. Its depend on your preference. This method is commonly used in most of site (I think 99%, maybe).
Why give the hacker the login which is half the protection you have?
Do you honestly think that it is ‘best practice’ to openly display usernames on a website?
I don’t believe you are seriously promoting the idea of a WordPress made less secure, but this what it amounts to.
This isn’t an either/or situation; best practise is to have both secure password and secure login.
Not to do so makes the site as easy to hack as one where “admin” has been used as the login for the 01 account.
Unfortunately WordPress does half the hacker’s job by publishing your username in the author url.
I don’t like this default behaviour, and there are plugins in the repository which allow you to obfuscate the url format.
My concern is, the design of AnsPress/AskBug is preventing me using those plugins.