'@username' for the administrator account - Is this a security problem?
WPMU DEV Community
'@username' for the administrator account - Is this a security problem?
Pro
17 pointsStarting to get into this DEV thingI'm new here
dekkydog
Member
—
2nd February 2012 (3 months ago)
Hi,
I don't know if i'm being a moron here or just over paranoid but I am concerned about security ie: being hacked.
In my WP/BP setup I am the administrator and I have locked out ALL other users from the admin panel by role. However, my '@username' is displayed publicly within my BP profile along with my display name.
Now if someone wished to hack my site then they are halfway there by having my login username (ie: my @username)?
Should I be concerned about this? What steps can I take to make my setup very secure?
Is there anything I can put in my htaccess to prevent a breach under my @username. Or any other steps to make my site secure?
Hi,
I don't know if i'm being a moron here or just over paranoid but I am concerned about security ie: being hacked.
In my WP/BP setup I am the administrator and I have locked out ALL other users from the admin panel by role. However, my '@username' is displayed publicly within my BP profile along with my display name.
Now if someone wished to hack my site then they are halfway there by having my login username (ie: my @username)?
Should I be concerned about this? What steps can I take to make my setup very secure?
Is there anything I can put in my htaccess to prevent a breach under my @username. Or any other steps to make my site secure?
10635 pointsLike some sort of WPMU DEV GodMindblowingly helpful memberLifetime member
Sales & Support Lead
—
2nd February 2012 (3 months ago)
#
Hiya dekkydog,
There's no way to completely hide the username's in BuddyPress that I know of. Sure, you could make it show the display name in certain areas within the theme and probably create a function so that @mentions use display name, but the username would still be used for profile slugs, etc. The list goes on and on.
So, if you're seriously worried about security it may be wise to limit access to wp-admin to your IP Address only. To do this, create a separate .htaccess file in your wp-admin directory on your site and add the following:
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
Obviously change the x's to your own IP address. Then you'll be the only one who can access the admin area. The only thing is that if you travel or have a dynamic IP then you'll potentially lock yourself out as well (without logging in as root to the server and removing the htaccess file).
Hi Masonjames,
ok its a simple way of securing the admin login, thanks:-)
But yes a little bit annoying that when I'm "on the move" I have to get on my server and re-edit the .htaccess file with my current IP.
Q) Do you know of any good reading/resources regarding security for WP&BP. I'm not far off going live and I'm looking into making my site secure from the most common threats. I am a bit of a newbie in this area.
10635 pointsLike some sort of WPMU DEV GodMindblowingly helpful memberLifetime member
Sales & Support Lead
—
2nd February 2012 (3 months ago)
#
Hiya,
I haven't used that plugin myself, so can't give you a positive or negative on it. I don't imagine it will cause any issues due to BuddyPress though.
I tend to roll my own security methods for the needs of a given project. The htaccess is one of the bets ways to lock things down, followed by having smart folder permissions. The final thing to remember is to use SFTP when logging into the site. Most 'hacks' are due to insecure folder permissions or insecure connections when logging into FTP.
7259 pointsLike some sort of WPMU DEV GodMindblowingly helpful memberLifetime member
Support Chimp
—
2nd February 2012 (3 months ago)
#
If you are concerned about people know the admin username then you could always delve into the code and make sure it doesn't display but then you will still have the slug within BuddyPress to deal with.
You could just create a new Super Admin account, don't use it for anything but administrating your site. Then use another lower level one for general things.
That said if your are over concerned about Brute Force attacks then you would want to harden your server fire wall, f5 attacks, etc.
And use an exceptionally long password, something at least 32 characters long and a good mixture of chars.
Responses (8)
Sales & Support Lead — 2nd February 2012 (3 months ago) #
Hiya dekkydog,
There's no way to completely hide the username's in BuddyPress that I know of. Sure, you could make it show the display name in certain areas within the theme and probably create a function so that @mentions use display name, but the username would still be used for profile slugs, etc. The list goes on and on.
So, if you're seriously worried about security it may be wise to limit access to wp-admin to your IP Address only. To do this, create a separate .htaccess file in your wp-admin directory on your site and add the following:
Obviously change the x's to your own IP address. Then you'll be the only one who can access the admin area. The only thing is that if you travel or have a dynamic IP then you'll potentially lock yourself out as well (without logging in as root to the server and removing the htaccess file).
Anyone else have other recommendations here?
Thanks!
Member — 2nd February 2012 (3 months ago) #
Hi Masonjames,
ok its a simple way of securing the admin login, thanks:-)
But yes a little bit annoying that when I'm "on the move" I have to get on my server and re-edit the .htaccess file with my current IP.
Q) Do you know of any good reading/resources regarding security for WP&BP. I'm not far off going live and I'm looking into making my site secure from the most common threats. I am a bit of a newbie in this area.
A kind of basic checklist would be perfect?
Thanks :-)
Member — 2nd February 2012 (3 months ago) #
Hi,
just to follow up on my previous thread...
...I have seen a plugin called "Bulletproof" - http://wordpress.org/extend/plugins/bulletproof-security/
It looks pretty feature packed but I'm not sure about compatibility with BP?
Have you seen this? Or used it?
Thanks!
Sales & Support Lead — 2nd February 2012 (3 months ago) #
Hiya,
I haven't used that plugin myself, so can't give you a positive or negative on it. I don't imagine it will cause any issues due to BuddyPress though.
I tend to roll my own security methods for the needs of a given project. The htaccess is one of the bets ways to lock things down, followed by having smart folder permissions. The final thing to remember is to use SFTP when logging into the site. Most 'hacks' are due to insecure folder permissions or insecure connections when logging into FTP.
Some more info:
http://digwp.com/2011/03/htaccess-wordpress-seo-security/
http://codex.wordpress.org/Hardening_WordPress
Hope that helps!
Member — 2nd February 2012 (3 months ago) #
Hi,
I'll check out the links.
very helpful :-)
Thanks for the tips!
Support Chimp — 2nd February 2012 (3 months ago) #
If you are concerned about people know the admin username then you could always delve into the code and make sure it doesn't display but then you will still have the slug within BuddyPress to deal with.
You could just create a new Super Admin account, don't use it for anything but administrating your site. Then use another lower level one for general things.
That said if your are over concerned about Brute Force attacks then you would want to harden your server fire wall, f5 attacks, etc.
And use an exceptionally long password, something at least 32 characters long and a good mixture of chars.
Take care.
Member — 6th February 2012 (3 months ago) #
Hey Tim,
great idea ..... create super admin account and don't use this account publicly. Seems obvious now.... doh!
Thanks.
Support Chimp — 6th February 2012 (3 months ago) #
No worries, glad I could help. :-)
Become a member