When we talk about the basics of WordPress security, we always tell you to use a very strong password. The recently added password strength meter helps to facilitate the process. But what about usernames? WordPress offers a way to change your display name which acts as a username alias. However, it doesn’t hide the username since it’s used within the URL and can’t be changed. For example, https://wptavern.com/author/username is always my account, despite what my display name is.
Some argue the leaking of usernames is a security risk. Dion Hulse, a core contributor to WordPress, explained the reasoning behind leaked usernames in a trac ticket 19 months ago.
It has been stated in previous tickets, “leaking” of the username is not deemed a security issue by WordPress.org, as it’s a conscious decision to use the username as the slug in the URL. If you don’t like this default behaviour, there are plugins in the repository which allow you to change the url format to your preferred layout.
Instead of attempting to provide security by forcing people to guess your username, you should be focusing on improving passwords, and/or considering two-factor authentication (ie. Google Authenticator) if your passwords are known to be insecure and/or weak.
While not exactly the same scenario, this trac ticket from seven years ago indicates how long the consensus has been around. The username is treated as common knowledge since it’s not difficult to determine. When I asked Andrew Nacin, lead developer for WordPress 3.9, whether the information shared by Hulse is still accurate, he said, “It’s fairly similar language we use when replying to security inquiries.” He then offered similar advice, “Create a strong password. Then, instead of playing games with your username, use a two-factor authentication plugin.”
What Is Two-Factor Authentication?
Logging in with a password is considered single-step authentication. It relies only on something you know. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. In practice, however, current two-step implementations still rely on a password you know, but use your phone or another device to authenticate with something you have.
Two-Factor Authentication Using Jetpack Single Sign On and WordPress.com
Jetpack comes with a module called Single Sign On. When activated, it allows visitors to use their WordPress.com login credentials to register accounts on self-hosted WordPress sites. This is important because users of WordPress.com have the ability to turn on two-factor authentication for their account.
By enabling two-factor authentication on WordPress.com, the account will be protected when used to register with any WordPress site using the single sign on module, whether or not it’s using a two-factor authentication plugin.
Alternative Two-Factor Authentication Plugins
There are plenty of alternatives to using WordPress.com and the single sign on module. A search of the plugin repository for two-factor authentication plugins shows 40 results. I asked Brennen Byrne, co-founder of Clef, what advice he has for those looking to add two-factor authentication to their site.
When deciding on a two-factor authentication plugin, you should look for one that is well maintained and frequently updated. Two-factor requires that you trust the sender of your messages, so you shouldn’t use a plugin that’s out of date or someone’s side-project.
WordPress.com VIP specifies passwords as the weakest link in the security of anything you do online. Two-factor authentication is an easy step you can take to make your logins more secure.
I can tell you from ten years fixing hacked web sites that WordPress password related hacking is the least serious issue on the board (though it gets a lot of press for some odd reason).
Two-factor authentication is overkill for most, and tends to give clients a false sense of security.
The main reason why client’s are hacked has less to do with passwords and more to do with client’s not updating their plugins, themes and WordPress installations.
I would go so far as to say that in my professional experience less than 20% of hacking situations are passwords related.
WordPress has already “solved” the password issue IMHO by including the “Strength indicator,” and most security plugins have options to force strong passwords. When used they effectively close the username / password “hole” which was in previous years often abused.
In short, if we all focus on educating our clients toward maintaining updates, and less focus on the latest password management meme, there will be a lot fewer hacked websites tomorrow.