WordPress fanboys: ‘WordPress more secure than SSH’
Sunday, March 2nd, 2008Here we take a glimpse of WordPress fanboys’ mindset. Why WordPress is more than SSH? Because SSH is vulnerable to username guessing (more formal term: enumeration), while WordPress isn’t! But why?
I can repeatedly send password attacks to an SSH server very fast without it being particularly impacted by it.
Hitting a WordPress server very fast would either a) have a very long round trip time or b) bring down the server due to the sudden high amount of database activity.
Look at the old SSH documents, and yeah, a username leak makes it that much easier to run a brute force attack. But this is not SSH. This is a webpage with a login form. The same solutions should not instantly apply just because that’s what people think of as ’secure’.
In no way shall this bug report about leaking WordPress username be forgotten:
There are other ways to verify user names. You can reverse engineer them from the author archive URLs (e.g. http://example.com/author/mark/). I believe the consensus last time this came up was that it was trivial to figure out the user names anyway, and that it is much more user-friendly to tell them when they messed up their username, and not the password. Also, “admin” is created on install, and can’t be changed using WordPress itself, so there’s no hiding that.
In short: default user name is already leaked in multiple ways, it is of no use protecting the user name.
Heh, I suppose this is the reason why WordPress doesn’t need to protect against username enumeration, in addition to all kind of attacks possible. The word ‘insecure’ is blasphemy to WordPress fans and developers alike, and all reports saying WordPress has holes would be automatically countered with ‘Bwahahaha’, be it true or not; while all Automattic hard-coded answer would be ‘please send e-mail to security@wordpress.org’. Of course, sending email to that alias is usually met with dead air. (No, not just me) After my second email report to them about my previous WordPress hole, only the newest employee gave a single line of reply: “we saw that”. Of course, the hole is still there without any fix, even though multiple releases has passed.
Other quotes worth chuckling:
- MD5 is an encryption.
- “WordPress is highly secure by default.”
- Any error must be user or administrators’ problem, not related to WordPress at all.