Community Forums › Forums › Archived Forums › General Discussion › Does Genesis show the account/admin/username?
- This topic has 5 replies, 3 voices, and was last updated 11 years, 4 months ago by Bill Murray.
-
AuthorPosts
-
May 24, 2013 at 7:06 pm #42541jgarnerMember
I sent an email via M Gardners site and didn't hear a word back (even though it says response within 48h).
Does Genesis, by default, show a link that divulges the account name? The post info and author link look on my site, like they are just providing the author name but they show when you hover over it or scan the code a link to an author URL that divulges the account / username.
Thanks for any input...
May 24, 2013 at 7:31 pm #42544Brad DaltonParticipantMay 24, 2013 at 10:18 pm #42565Bill MurrayMember@jgarner - What you're seeing has nothing to do with Genesis. It's default WP behavior. If you include a link to an author archive, then, yes, that URL will reveal the actual username without some workarounds.
If you want to change the behavior, you can explore this plugin or read this article. Note that I'm not recommending the plugin or the technique described in the article, just letting you know of their existence. You can also alter your theme to not display an author archive link on any page.
If you're concerned that hiding the username makes brute force attacks harder, that would be ignoring the fact that a very high percent (above 99% in my experience) of the brute force attacks are done on a very limited set of usernames such as "admin". The plugin or the technique probably won't do any harm, but they probably won't do much good in that the chance your site will face a brute force attack on a unique username is very, very slim.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
May 24, 2013 at 11:56 pm #42571jgarnerMemberHi,
Thanks for the feedback. First of all I use BPS Pro that has a login security system. I was alerted to the fact that an 'unusual' and active username was directly used to login which meant it was likely divulged in some way. To my surprise I found the links as described above for the author that gave away the culprit login details in the source code of pages.
I then removed these using the Simple Edits plugin that by default shows the authorlink in the code and I also changed this in Nicks Amplified Feature plugin. Both Genesis out of the box, Simple Edits and Nicks plugin display by default a link that has the authorname in it.
@wpperform I do not agree with the approach that says this is default behaviour of WordPress since it 'IS' in the themes and plugins that this information is generated and then displayed, WordPress is just the basis. I would only be paraphrasing what was discussed on the BPS forum anyway... But themes and plugins shouldn't be doing this
BTW you only need to check the demos on studiopress to see there are several themes that show the author info (ie http://domainname.com/theme/author/admin !)
@braddalton I have removed all the occurrences on my main sites, was it to check?May 25, 2013 at 1:39 am #42574Brad DaltonParticipantMay 25, 2013 at 8:22 am #42596Bill MurrayMember@jgarner - You misunderstood my comments on default WP behavior. Genesis uses core WP functions to display the author archive, so by default in WP (and therefore Genesis), if you display an author archive, it will contain the username. I wasn't claiming that display of these archives is the default for WP, since display is the realm of themes. It sounds like you've turned off the display in Genesis, so you have protected yourself from the default WP behavior. As for whether any Genesis child theme should include an author archive by default, that's a separate issue. Since the security risk is very low and some see the benefit of making it easy to find other posts by the same author (especially on multi-author blogs), I suspect the developers of Genesis have good reason to keep the defaults as they are but make it easy for people like you with a different view to change them.
BPS may have alerted you that an actual username was used to log in, but in all likelihood it wasn't tied to this issue. If this visitor had a valid password and wasn't you or someone you know or authorized, your security was compromised elsewhere (server, malware on your PC, etc). If the visitor failed to gain access after 1 or 2 attempts, he likely gave up on his own and not related to anything BPS did. Most attackers need generalized systems to try to attack large numbers of installations; after all, it's a hit or miss affair. If attackers were to try to incorporate unique usernames per site, their efforts at scale would get bogged down and they'd break into fewer sites. I'm sure hackers will get better, but for now, brute force attacks on unique usernames almost never happen. They're so rare that I can't remember the last time I've seen one.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
-
AuthorPosts
- The forum ‘General Discussion’ is closed to new topics and replies.