WordPress Security: OWASP 2017 – A2 Broken Authentication
Authentication allow users to access their data using their own credentials. In web application this is one of major risks. Web application which have broken authentication can allow users access data of other users which they are not supposed to have access.
Web application with broken authentication can be e through several ways, such as credentials surfing (using a list of known username and passwords to login), brute force logins, passwords stored in plain text, incorrect session management, etc.
WordPress has core mechanisms which can prevent broken authentication. Core user account details and authentication management, password salting and stretching, session destroy when logout, etc.