There have been a handful of discussions lately surrounding WordPress and usernames – particularly whether or not exposing usernames is a security risk.
The consensus appears to be “no.” I beg to differ.
Two Factor Authentication
Your username is one of the two pieces of information WordPress uses to identify you versus the hoards of people pretending to be you in order to gain access to your website. The second piece of information is your password.
In older systems (not WordPress), users were able to log in using just a unique ID – i.e. their username. Actually, in current systems this is still a widely accepted identification scheme. Anyone could visit any WordPress site, drop my email address in a comment form, and be recognized as me when they leave a comment.
No second form of authentication is required. This is hugely disturbing as I have zero control over the content (or removal) of comments masquarading as me by merely using my email, which is then hashed by Gravatar and used to pull in not just my profile image, but often also a “hovercard” with my information on many sites.
Two factor authentication requires two separate forms of user identification. Take the everyday example of ATM cards:
To prove that users are who they claim to be, the system requires two items: an ATM smartcard (application of the possession factor) and the personal identification number (PIN) (application of the knowledge factor). In the case of a lost ATM card, the user’s accounts are still safe; anyone who finds the card cannot withdraw money as they do not know the PIN. The same is true if the attacker has only knowledge of the PIN and does not have the card.[ref]Two-step verification[/ref]
If we were talking about bank cards rather than WordPress access, you would be hard-pressed to find someone claiming that “showing your card number is not a security risk” because, well, it’s a huge one. Even if an attacker doesn’t have your PIN, having just one piece of information is so dangerous (as a 4-digit pin can easily be guessed) that we immediately cancel/change our cards if lost, stolen, or if, say, records of a vendor like Target are hacked.
When it comes to usernames, however, we’re so used to the username/password tuple being treated as a single piece of information that two-factor authentication means something different – using a tool like Google Authenticator on a mobile phone.
I use Google Authenticator for my WordPress.com account because it’s a built-in service. However I have yet to find a comparable system for self-hosted WordPress, so I don’t use it.[ref]If Automattic were to finally open source their implementation, I’d use it in a heartbeat. I mention this at every opportunity in the hope that someone will finally do so.[/ref]
Brute-Force
In the lack of a sufficient two-factor authentication scheme (username is publish, Google Authenticator is not enabled), hacking a WordPress site is relatively easy. Usernames are public information, meaning hackers only need one piece of information.
If you’ve seen the movie Olympus Has Fallen, you’ll see where I’m going here. In the film, the attackers needed three separate codes to hack the national defense system. The President ordered the two other code-holders to give theirs up, swearing “they’ll never get mine” each time. In the end, they didn’t even need his – two codes got them far enough into the system they could use a brute force generator to guess his code and, eventually, launch the missiles.
Fictional storyline or no, this helps prove my point: if an attacker knows your login, they can brute force your password.
This is actually the key reason one of the first recommendations for securing a WordPress installation is to remove the “admin” user.
In fact, WordPress even allows administrators to set a custom username for the initial user upon instantiation to avoid having “admin” used by default. There have been further changes in core to remove “admin” as a fallback when the username is not otherwise set.
Why? Because leaving your site’s administrative username as “admin” is considered a security flaw.
Vulnerability
I’ve spoken before at how vulnerable logins to your site can be when an admin-level account is used too frequently and in poor environments. That said, the fact that usernames are exposed – and are enumerable – is one of the largest failings in WordPress when it comes to security.
There are open source tools on GitHub[ref]I will not link to these tools. I thought about it, but I don’t want anyone using this article as a “how to hack WordPress” tutorial. If you’re interested in these tools, contact me privately and explain why.[/ref] that allow attackers to quickly list usernames for accounts on your site. These tools are made possible by the fact that user IDs are assigned as auto-incrementing integers rather than true GUIDs.[ref]There have been proposals to change this, making automated enumeration of usernames essentially impossible. Unfortunately, these proposals have been met with resistance from many on the core team – not because it would be difficult, but because they fail to recognize the importance of such a task.[/ref]
All this comes back to something blindingly obvious though. Everyone is going to know part of your access. The reason we tell people not to use ‘admin’ as a login ID is not because it’s more or less secure, but because it makes it easy for script kiddies to target.[ref]Your Username is Not A Secret[/ref]
Once an attacker has an account they want to target, the same tools will allow them to brute-force the account’s password. It doesn’t require a personal vendetta against a single user, just an extra line of code to grab a list of usernames and pick one.
For many servers, this will essentially DOS the system – something a daily blogger will notice. But if scheduled during off hours, it would be easy to fly under the radar.
Honestly, when was the last time you logged into your server and checked the access logs?
Moving Forward
Usernames should not be public information – we should have an alternative field (i.e. [cci]user_nicename[/cci]) to serve as a unique identifier for author permalinks. Usernames should be used for authentication only and for nothing else.
Obfuscating user logins won’t resolve every potential vulnerability in WordPress. However, as the scale of the project continues to grow, decisions made in WordPress’ infancy will continue to rear their heads as security issues.
Usernames aren’t inherently insecure on a small scale – when a platform reaches the level of visibility attained by WordPress, however, the number of potential attack vectors tied to public usernames goes through the roof. Curtailing these attacks helps strengthen the platform.