我的AJAX URL安全吗? [关闭]

Closed. This question needs to be more focused. It is not currently accepting answers.
                </div>
            </div>
        </div>
                <hr class="my12 outline-none baw0 bb bc-powder-2">
            <div class="grid fw-nowrap fc-black-600">
                    <div class="grid--cell mr8">
                        <svg aria-hidden="true" class="svg-icon iconLightbulb" width="18" height="18" viewbox="0 0 18 18"><path d="M9.5.5a.5.5 0 0 0-1 0v.25a.5.5 0 0 0 1 0V.5zm5.6 2.1a.5.5 0 0 0-.7-.7l-.25.25a.5.5 0 0 0 .7.7l.25-.25zM1 7.5c0-.28.22-.5.5-.5H2a.5.5 0 0 1 0 1h-.5a.5.5 0 0 1-.5-.5zm14.5 0c0-.28.22-.5.5-.5h.5a.5.5 0 0 1 0 1H16a.5.5 0 0 1-.5-.5zM2.9 1.9c.2-.2.5-.2.7 0l.25.25a.5.5 0 1 1-.7.7L2.9 2.6a.5.5 0 0 1 0-.7z" fill-opacity=".4"></path><path opacity=".4" d="M7 16h4v1a1 1 0 0 1-1 1H8a1 1 0 0 1-1-1v-1z" fill="#3F3F3F"></path><path d="M15 8a6 6 0 0 1-3.5 5.46V14a1 1 0 0 1-1 1h-3a1 1 0 0 1-1-1v-.54A6 6 0 1 1 15 8zm-4.15-3.85a.5.5 0 0 0-.7.7l2 2a.5.5 0 0 0 .7-.7l-2-2z" fill="#FFC166"></path></svg>
                    </div>
                <div class="grid--cell lh-md">
                    <p class="mb0">
                        <b>Want to improve this question?</b> Update the question so it focuses on one problem only by <a href="/posts/24257193/edit">editing this post</a>.
                    </p>
                    <p class="mb0 mt6">Closed <span title="2014-06-17 09:54:06Z" class="relativetime">5 years ago</span>.</p>
                </div>
            </div>
    </aside>

I writing this question, more from insecurity than from absolute ignorance.

I am writing a WordPress theme for a personal use, and I have made a custom registration form for my site members.

Upon completion of the form, I run several AJAX calls on WordPress to check the availability of several user data.

Among the checks I make, is the username availability.

The process it is very simple, as described below:

  1. The user enter's the desired username
  2. Then continues to the next form field, and a blur event produced on the username field.
  3. In this case, I sending an AJAX call on my server to check the username availability.
  4. The server returns a JSON document, with the appropriate information
  5. If the username exists, then I display an error message, otherwise nothing happens.

Now, my questions.

The ajax send's an object of data like this:

data : {
    action : "check_username_availability",
    s      : "my_nonce_key",
    u      : "kiven_username"
}

First Question

Can I protect my server from DDoS on my AJAX call ? Is it my script vulnerable by this mean ?

Second Question

Can this AJAX url to be used in brute force attack to give in attacker the username list of my members ?

And thus, if my script is vulnerable in these terms, can I protect my self?

</div>

Q1. Just so long as your script checks form submit and the referring script is your form's address then your "processing" script should be able to determine whether it is being called correctly or not. WordPress does this on the very first line of all its files - it checks for a predefined value and if it's not found it thinks the script is being called directly and calls "die".

Q2. Are you really worried about your usernames being viewable? If you wrote your script to simply return an "available" or "already in use" then that should suffice. Think about the big players on the web. When you register your email it says yay or nay if you can use the username...