Your WordPress site comments are giving information to hackers

Something I recently discovered: if you run a WordPress site and make a comment on a post yourself while logged in, information relating to your username is added to the… More »

Spread the love

Something I recently discovered: if you run a WordPress site and make a comment on a post yourself while logged in, information relating to your username is added to the HTML that makes up the comment when displayed on the post page.

Specifically, a version of your username that WordPress calls ‘user_nicename‘ is added to the CSS classes of the comment’s <LI> element. For example, if my user login for this site was ‘ZigPress‘ (it isn’t!), the word ‘zigpress‘ would be added to the classes of any comment I made on the site while logged in.

As you may have deduced from the above paragraph, your ‘user_nicename’ is derived from your username when your user account is created, and it cannot be edited from your profile in admin. It is NOT the same as the ‘Nickname’ that you can edit from your profile. Having this information in the HTML of your page gives a would-be hacker easy access to guessing the username of the admin user of the website, and reduces the amount of effort a brute-force attack would need.

The only way to change it is to do so directly using the database, and I would recommend strongly that you do so, now. You can change the ‘user_nicename’ completely safely without affecting any aspect of your site’s operation, apart from the URL of any ‘author’ archive pages on your site (these are in the format sitename.com/author/nicename). Not many sites use the author archive, and you’ll know if you do, so I don’t see this as being a big problem.

Instructions

Log in to phpMyAdmin or whatever you use to access your site’s database.

Display the contents of the wp_users table (yours might not start with wp_), so you can see your admin user account’s ID. It will be a number, probably quite small, like 1.

Run a query like this:

UPDATE wp_users SET user_nicename = ‘abcdefgh’ WHERE ID = 1

Substitute your table name if different, ID if different, and put in a random set of characters for the new user_nicename, don’t just follow what I put. For example, if your table name is mywp_users and your admin account ID is 3, and you come up with ‘D8vhSB4nschD’ as a random string of characters, your query would look like this:

UPDATE mywp_users SET user_nicename = ‘D8vhSB4nschD’ WHERE ID = 3

Once you have run that query and got a result like ‘1 record affected’, you’re done. Any comments you make on posts on your own site while logged in will no longer leak information about your username.

After doing this, I recommend that you change the username you use to log in as well – you can do that in the same way, except that instead of changing user_nicename, you would change user_login.

Using Author Archives

If you do use the author archives and don’t really want a random string of characters in your author archive URLs, simply use a name which is sensible but not the same as your username. For example, if my user_login for this site was ‘andytowler’ (it isn’t), I could choose to set my user_nicename to ‘andyt’. By doing this, hackers might try to login with the username ‘andyt’ but would always fail because they have no way of knowing that ‘andytowler’ is the actual username used for logging in.

Share Button
Facebook Comments
Spread the love

Posted by News Monkey