Found a disclosure during authentication to a blog for version 2.1.2.
When a person logs in with the wrong username into /wp-admin, the error message states “ERROR: Incorrect username”.

Whereas if you put enter the correct username and the wrong password, you get the following.

The problem is that Wordpress is disclosing that that username doesn’t exist, therefore [...]

Categories: security

Sometimes security is ignored due to timelines, money, politics etc… I recently had to explain why having different web functions on the one physical box is a bad idea…
- Good security practice recommends separating and segregating different functions, especially in a web environment, to different systems
- Being on different systems, access can be controlled on [...]

Categories: Uncategorized