|
|
|
|
|
|
by cqqxo4zV46cp
687 days ago
|
|
|
What we can say for sure is: 1. By common standards, this is considered bad practice, especially in the context in which WordPress operates. User enumeration is widely considered to be an unacceptable consequence of error messages this specific, in most circumstances. 2. There are only very slightly more cumbersome ways to get the functionality desired by this choice (e.g., ‘forgot password’ email loop that’ll email you if you entered an email address for which no account exists). Bluntly, WP is from a time where security was considered an afterthought, and done very poorly. Especially in PHP land. They’re undoubtedly carrying a lot of that legacy code, and more importantly, a lot of that cultural baggage. |
|
|