[bubblebeard]

This reminds me of an article in which brute forcing the WP admin panel was discussed. The problem was that when supplying inaccurate user credentials you would get an error message telling you which was wrong. Their dev stated this was a design choice, that you needed to balance security and user friendlyness.

Security in WP seems more like an afterthought to me, which is a shame to say the least.

[savolai]

It can indeed be incredibly confusing for users if that is not disclosed, bordering on hostile.

It is a common pattern to reregister i.e. when in a hurry so you end up with multiple ids. If you also have userids in addition to email addresses, it can easily become a hard problem in itself to solve/remember which email/pw corresponds to which userid. Obfuscating user/password error messages can make this much worse.

Techies often forget what a messy world non-engineers live in.

Isn’t NOT disclosing that security by obscurity?

[SketchySeaBeast]

It makes it so much easier for attackers - they then can know that a user has an account there too, and can then use that information to find that user's other known passwords. It's offering up information the attacker might not have.

[wongarsu]

Most applications end up disclosing that anyways either by a success message in the password reset flow, or a "email already in use" message in the registration flow. Obscuring who has an account is a major commitment for the design of any unauthenticated api, one that's both difficult and often user-hostile. And if you trip up once you have a worst-of-both-worlds where you've both made your website worse for your users and attackers can still easily check if someone is a user.

Wordpress takes almost the opposite approach: They consider the fact that you are an author on a page public information. There is even the /wp-json/wp/v2/users api to enumerate them At least they don't show email addresses, but you can also login with the username. ([1],[2] for examples in the wild).

Of course as a wordpress admin you can decide differently: extensibility is one of the core pillars of wordpress. Security arguably is placed behind extensibility and user-friendliness.

1: https://quebec.ubisoft.com/en/wp-json/wp/v2/users

2: https://www.rollingstone.com/wp-json/wp/v2/users

[throwaway2016a]

While I agree it's not really security through obscurity because when combined with other strategies (like mitigating timing attacks and rate limiting) it does expose less information to the attacker.

However, I stand that it does depend on the application. For example: Facebook does not use generic error messages. I presume because there are other trivial ways to find out if a user has an account so mitigating enumeration through the login form is not actually adding extra security.

[exe34]

all it has to say is "if you have an account with us, check your email address you just used"

[claudiulodro]

WordPress doesn't consider usernames as a secret[1], so under that logic it is totally fine to say whether a username exists when trying to log in.

[1] https://core.trac.wordpress.org/ticket/20235#comment:7

[throwaway2016a]

It's not quite so clear cut. Close. Even OWASP acknowledges there are trade offs:

> The problem with returning a generic error message for the user is a User Experience (UX) matter. A legitimate user might feel confused with the generic messages, thus making it hard for them to use the application, and might after several retries, leave the application because of its complexity. The decision to return a generic error message can be determined based on the criticality of the application and its data. [1]

Though it's a pretty low bar. Given the common uses of Wordpress, there is certainly a very strong argument that it warrants the extra security.

I'm not defending its UX, I think it should have more generic errors. Just pointing out that this one particular example is not in and of itself the best banner to hold up when it comes to bad security as it is not a clear cut answer. A person could be very considerate of security and still come to the conclusion that the better UX is worth the risk.

[1] https://cheatsheetseries.owasp.org/cheatsheets/Authenticatio...

[bubblebeard]

I think this is a valid point. At least for frontend usage I can see how less generic messages might make sense. I would still opt for generic messages, but I’m also a little paranoid ;)

[cloudking]

Yep, I've found fail2ban wired to NGINX logs is a good solution against brute force and DDoS attacks on my WordPress sites.

[dec0dedab0de]

I think that is a valid stance to take by default, and maybe have the option to change it.

If you force good passwords it really shouldn’t matter too much if the usernames can be enumerated.

[bubblebeard]

To me it’s needless exposure for admin accounts. I can see the value for frontend, client, accounts. However, only if such a service use usernames and not email addresses for logins. Otherwise it would be a great way for attackers to accumelate email addresses related to certain types of services.

[progmetaldev]

Unless your users reuse passwords on other websites, then it is remarkably easy to enter a website. Increasing password complexity doesn't solve the issue with password reuse, and can often have users writing their passwords down on post-its around their desk/monitors.

[dec0dedab0de]

Increasing complexity makes it harder to brute force hashed and salted passwords from a database. But yes if it is already leaked then you have a problem.

Though I would say that checking against haveIbeenpwnded or another service is a much better mitigation against that.

And 2fa is even better than both.

The truth of the matter is that the owners of most wordpress sites really do not care if it is hacked. Especially if they have a semi decent backup strategy. It is used in so many low stakes deployments that it is kind of silly to force certain levels of security.

Remember it is always about risk/reward. The most secure computer is the least usable one.

[progmetaldev]

I do agree, but with the popularity of Wordpress, I see more and more larger companies using it as a solution. I think the bigger issue is having the site penetrated, then silently serving up malware to your clients, than defacement or anything that would receive attention. I'm not familiar if there is a plugin or solution for integrating a password checking service with Wordpress. I know that it's not difficult to integrate with other CMS solutions.

[progmetaldev]

While not with Wordpress, I've had this conversation multiple times with both management where I'm employed, as well as with client management. I always give pushback when it comes to logins, forgotten passwords, and registrations. Telling someone that a username/email or password is wrong just halved the work needed to break into a system, if not more (since having a username or email correct, with an incorrect password, could allow further social engineering).

For a forgotten password where an email is entered, I always send back a success message. I understand that humans type their emails incorrectly, but allowing a user to enter an email address and seeing a message stating the email wasn't found has now just become a way for an attacker to discover what emails are registered with a website. From there, social engineering becomes much easier, as well as brute forcing ONLY a password and not an email/password combination.

I understand that the complexity in this is due to human frustration, rather than a technology problem. Probably one of the more complex problems to solve. I wish I could paste over these issues by writing more code.

[chgs]

Yes it is a choice and security is a balance. You could encase the server in lead and drop that to the bottom of the sea, but that would be an extreme on the “security” side. You could do away with user authentication completely, that would be an extreme the other way.

[bubblebeard]

That’s true and I see your point. Personally I do not understand this choice in contrast to an admin panel though.

[cqqxo4zV46cp]

What we can say for sure is:

1. By common standards, this is considered bad practice, especially in the context in which WordPress operates. User enumeration is widely considered to be an unacceptable consequence of error messages this specific, in most circumstances.

2. There are only very slightly more cumbersome ways to get the functionality desired by this choice (e.g., ‘forgot password’ email loop that’ll email you if you entered an email address for which no account exists).

Bluntly, WP is from a time where security was considered an afterthought, and done very poorly. Especially in PHP land.

They’re undoubtedly carrying a lot of that legacy code, and more importantly, a lot of that cultural baggage.