bad login attempts poor security practices

• 

  notacarboncowcultist · Member · Dec 9, 2009 at 12:14 am

  • Copy link
  • Add topic to favorites

  Please send a generic bad username/password message back. By sending “bad username”, you are letting a hacker know too much. Best security practice is a generic message. That way a hacker would, for instance, never know if the default admin account was still named ‘admin’. With the current config, the hackers will know when they have the right username, and then will be able to focus on the password.

  Great work on WordPress though, no doubt a tremendous effort!

  The blog I need help with is: (visible only to logged in users)

• 

  tellyworth · Staff · Dec 9, 2009 at 12:21 am

  • Copy link

  @notacarboncowcultist things aren’t that simple on a site with millions of users.

  We’re aware of good security practices and regularly review and improve our methods based on experience.