If you log-in to your WordPress blog and use an unregistered username the system will answer “ERROR: Invalid username. Lost your password?” and if you got your username right but not your password: “ERROR: The password you entered for the username admin is incorrect. Lost your password?”
So you know independently if you used a registered username or if the password isn’t right. That’s nice of WordPress, isn’t it? From the user point of view sure it is … and from the view of a possible attacker, too!
There are many tutorials telling that you should rename your admin account to something else so that an attacker does not already has got a clue what account he has to break. Unfortunately WordPress is telling everyone if you have done so or not:
This blog owner was not so cautious and hasn’t changed the admin account. Now the attacker has a first clue and only needs to test his passwords against this username.
Wouldn’t it be much better if the error message would be the same no matter if the username is right or not:
Now the attacker does not know if the username is registered and has to try all his passwords even if the name is wrong.
The above error message is created by my new plugin called “Unified Login Error Messages” (or “Ulem”). It changes the two above mentioned error messages but keeps others like “The username field is empty.” untouched.
There are some tutorials telling you how to disable the error messages totally but no response to a user’s action is one of the main failures in UI design.