27 Comments


  1. I can tell you from ten years fixing hacked web sites that WordPress password related hacking is the least serious issue on the board (though it gets a lot of press for some odd reason).

    Two-factor authentication is overkill for most, and tends to give clients a false sense of security.

    The main reason why client’s are hacked has less to do with passwords and more to do with client’s not updating their plugins, themes and WordPress installations.

    I would go so far as to say that in my professional experience less than 20% of hacking situations are passwords related.

    WordPress has already “solved” the password issue IMHO by including the “Strength indicator,” and most security plugins have options to force strong passwords. When used they effectively close the username / password “hole” which was in previous years often abused.

    In short, if we all focus on educating our clients toward maintaining updates, and less focus on the latest password management meme, there will be a lot fewer hacked websites tomorrow.

    Reply

    • You make a lot of great points. The reason for this article is because over the past few years, there has always been this notion that being able to determine the username in WordPress so easily is a security issue. So I wanted to help set the record straight on why usernames are so easy to determine.

      Reply

      • “The main reason why client’s are hacked has less to do with passwords and more to do with client’s not updating their plugins, themes and WordPress installations.”

        Reply

    • I also deal with hacked sites, and I concur. Brute force password attacks tend to kill a server before someone actually gets in.

      The common reasons I see for being hacked:

      * Old versions of WP
      * Out of date plugins/themes
      * Inactive plugins/themes with security holes (“I’m not using it, why should I update?”)
      * Third party (non WP) code on the account
      * Virus on the computer captured passwords (this one happened to me, hush)
      * Rogue admin installed backdoor

      The last two are fairly exceptional.

      Somewhere WAY down at the end is “My WP Password was sniped.” Not that I suggest one log in to your network on a non-secure network, but knowing my username is Ipstenu? Not a secret :)

      Reply

    • That’s interesting, what you and Mika say. About a year ago for a few months I was seeing the same hack on multiple sites and nearly all of them were running an old version of WordPress.

      I assume if people kept everything up to date and used strong passwords, hacked WordPress sites would be very uncommon. The tragic thing is that these two things are so easy to do.

      Maybe WordPress core should email available theme and plugin updates to the administrator a la WP Updates Notifier. Something like that in conjunction with the automatic core security updates that we have now, built-in login attempt limiting and enforcement of strong passwords could prevent a whole lot of mischief (and the reputation of WordPress).

      Reply

      • Keeping WordPress & plugins updated only helps when the person responsible for the code is responsible. ie: You update a plugin today, but it’s only secure if the writer took security into account.

        Reply

        • Not every security flaw is discovered or addressed but those that are only come through updates. Therefore, it’s prudent to keep everything up to date. If a user doesn’t, they’re more likely to have insecure code on their server.

          Reply

  2. There’s tons of debate on this. New California law suggests that a weakly stored combination of Username and Password is considered insecure.

    The counter argument runs that if username was insecure, most email systems would be affected. For example, Google uses your email address (which is obviously public) as your username to connect to all their apps.

    I like the idea of using 2-factor authentication for higher security, but average users will find it to be an annoyance. It’s a balancing act.

    Reply

  3. If you name your site after yourself to get more approval from the big search engine, then someone has a good guess at half your login. WP allows for the displayed name to be different from the username. I don’t know why anyone would give anything away –security-wise– that they don’t have to.

    Pick an obscure word for an original username and then display your first name or nom de keyboard to the public side. Isn’t that sorta like adding a factor in itself, or at least restoring one that you already could have without added rigamarole?

    Just yesterday I had someone try to break in using my first name, although commonly they try “admin”, which was another example of over-sanguinity about security on the part of WP.

    Reply

  4. I agree. Usernames are only really susceptible to brute force attacks and these attacks rarely target usernames anyway. I run stats on multiple different blogs to see different attack vectors and they are usually centered around the “admin” username or some variety. Only rarely do I see the actual usernames on the site used in an attack.

    We take three steps to curb this kind of attack:

    1. Force strong passwords
    2. Limit Login Attempts plugin or similar
    3. Google Authenticator two-factor authentication when required

    These three make it pretty much impossible to unlock an admin account through brute force or other vectors and leaves us to focus on other more sinister ways of hacking or attacking a site.

    There is a valid question to be asked about whether limiting login attempts should be built into WordPress as a core feature, but that might be a different conversation.

    Reply

    • Well said and I think it’s very much the same conversation.

      I always assumed most login forms on the Internet limited login attempts. Since WordPress doesn’t, I have to doubt that. I sure hope my bank does. I can’t think of a reason why WordPress, powering such a portion of websites, should not limit login attempts. This is a simple and effective security measure.

      Reply

  5. Usernames are not passwords so it shouldn’t matter if they’re public. It’s useful and elegant to be identified by a relevant slug. You can use ‘admin’ with a memorable diceware passphrase and it’s not likely to be cracked any time in the next few decades. With a plugin like Limit Login Attempts it will never be cracked by automation.

    The main issue is education. Huge masses on the Internet are still using predictable passwords. I’m shocked at some of the passwords I see in 2014. Sometimes it seems as if zero progress has been made with educating people about password security in the last decade. That’s why core should limit login attempts and somehow enforce strong passwords.

    Reply

  6. You can teach a horse about water, you can’t force the horse to drink that water. Some horses just die of dehydration.

    Yes, weak passwords are bad. DO YOU HAVE ANY IDEA HOW MANY PASSWORDS THAT ARE PASSWORD I HAVE SEEN OVER THE PAST WEEK ALONE?

    There was a thread on the WordPress forum that Mika answered (she didn’t create it), the user mentioned they had WordPress 3.4.1 or around that. Not updated.

    The reason your site will get hacked is due to a combination of the following:

    1) Your username. I am sure Mika’s usernames ALL OVER the internet is Ipstenu. Mine is miroslavglavic
    2) Your password, people have easy passwords due to lazyness. PASSWORD is NOT a password, your birthdate (your mother’s, father’s, child’s, spouse’s) is not a password.
    My father’s security system pin was his birth year.

    Funny thing is that when I call my phone provider, they ask me: my name, cell number, birthdate, home address (phone is registered at my home address). Those are easy to find.
    3) Theme updates – I always say use a plugin instead of hard code it. We all know when you update, those custom codes will go bye bye
    4) Plugins – I don’t know why someone will use a plugin that hasn’t been updated in a year. If plugin hasn’t been updated in 6 months…think of getting another one to replace it. I wish plugin authors would tell people that they are giving up

    5) Garbage – Turn on your user registration for a day (make sure they are only subscriberes) and I guarantee you will get 100 regs in that day.
    Themes that you don’t use. You don’t need more than one theme.
    Plugins you don’t use. Sorry Hello Dolly. If you don’t use extras. Get rid of them.

    In one of the sites I help with, it is a online publication with 377 writers.

    I have limit login plugin.
    I am soon implementing StrongPassword33 system where the writers (377) have to

    1) HaveUpperCaseanDLowERcASe33 passwords which includes numbers as well.
    2) Their passwords must be changed every 6 months (exact time hasn’t been approved yet).

    No one element is the key to keep your site safe.

    Reply

    • There is nothing wrong with using a plugin which hasn’t been updated in a while. Most plugins simply don’t require updating.

      Reply

  7. Year after year we are forced to use ever more complex passwords. What I don’t understand is: if you have a site, WordPress or otherwise, that doesn’t allow infinite login attempts, why isn’t even a “moderately good” password good enough? Granted using the name of your pet or a candy bar is a bad idea.

    It seems to me that passwords are at greater risk from phishing, bulk theft from an online platform, etc. And password strength doesn’t help in those circumstances.

    It’s true that WP sites do get an insane # of login attacks every day. And most of them are against the account “admin”. Those “dumb bots” are a reminder that they’ll be getting smarter and moving from “admin” to real user names soon enough. But again, if login attempts are limited, I don’t see the risk.

    I use the “Limit Login Attempts” plugin that Johan Eenfeldt was kind enough to write. And which Softaculous makes easy to add to every cPanel WP install. The default is 4 login attempts before lockout. I work with plenty of authors, and myself included, who can easily blow through that many attempts before figuring out what they’re doing wrong, so I change that to 20. When a red bar is telling you you’ve only got 1 or 2 attempts left to access your site, it’s stress that I don’t believe the WP experience needs. 20 gives the author a little more room to relax, and as long as your password isn’t as simple as an all lowercase “word” like “peanut”, the bots will still never have anywhere near enough attempts to crack it.

    Reply

    • Even a fairly weak password will be sufficient in that scenario, but if someone manages to gain access to your database somehow, then they will be able to do a local brute forcing attack.

      Reply

  8. I don’t get it. Why not take 30 seconds to make it exponentially more difficult for a determined bot to hack your site?

    Granted, if your user name is well known, then it will be assumed that it’s your login name. But that’s irrelevant. Because if your actual WordPress login name is dX5A!w3Qfr2p and your NICKNAME is Yoast, and you’ve hidden/denied access to your author archives, you’ve just increased your security significantly by adding a secure admin name.

    To not do this is like not taking a few seconds to turn your home security system on because you already have a guard dog, or because burglars don’t break in through the front door that often.

    Reply

    • If your password is as complex as “dX5A!w3Qfr2p”, then it doesn’t make any difference if an attacker knows your username. It’s not adding any real security to make the username complex too.

      Security is only as good as the weakest link, and that link is invariably the person sitting behind the keyboard. You’re already asking them to remember a complex password, if you suggest that they remember a different complex username, then you lead to the sticky-post-on-the-monitor syndrome. “Pretend” security measures often lead to decreased security because of unforeseen consequences such as these.

      Reply

    • If you want to add more protection, then you should add it to the password, as that what it is intended for. The username is not intended for added security.

      Reply
  9. Marius Olar

    I think it is a security risk because when you find a username like ‘admin’ you can suppose that the table prefix is also default, and so on…

    Reply
  10. Gerry

    yourdomain.com/?author=1 brings up the admin username in most cases. I have seen a major increase in this attempt at brute force attacks recently. It is still rather lame to say it isn’t a problem because you can fix it with something else that needs to be added. When you have over 120,000 sites attempting to brute force into your site knowing 1/2 the key gives them an advantage that even if you block bad attempts they will still make it easier on them.

    Fortunately, there are 3 things you can do with the above knowledge without additional plugins.

    1. Change the username of the first account at the DB level to something else that uses non-standard characters.
    2. Create another “admin” level account (that isn’t called admin, again with non-standard characters)
    3. Change the first username to have no real permissions.

    Of course…
    Yes, you should use complex passwords.
    Yes, you should use a different password on each site and username.
    Yes, you should change your passwords every so often.

    However, the “security” of a standard WordPress install sucks and should still be improved.

    BTW, I am for additional plugins, however, I still believe that basic WordPress “security” can be improved at the core.

    Reply

    • Brute forcing is not a security problem (unless you have a stupid password), it’s a performance problem, as your site can get taken down due to it.

      What changes do you think should be made in core? I think a minimum password strength should be enforced.

      Reply

    • People know this, but we don’t care. Since usernames are not intended to be secret, they should never be used for authentication purposes.

      Reply

Leave a Reply