Superadmin exposure in BuddyPress & security concerns

This question has been asked before in wpmudev more than once but no definitive answer has been given.

I have a multisite with BP and the superadmin name is "Community Manager" but that does not hide the superadmin username (let's call it "xyz123"). Because of this I cannot hide the superadmin's username from the members because it shows up when I author a post or I get a twitter-like mention "@xyz123".

Why is this security issue not built in BP, or at least why isn't there a plugin that hides the superadmin from the member's list.

If I use this plugin I could create an administrator user (not superadmin) and give him the community manager role, and then hide the superadmin from the rest of the users.

You make life much easier for hackers when you expose the superadmin's username.

I'm new to BuddyPress and relatively new to WP, so maybe I'm missing something. Any ideas?

  • aristath

    Hello there @Al and welcome to the WPMU DEV Community!

    First of all, I think you've misunderstood something...
    BuddyPress is not our plugin.
    BuddyPress is an open-source project you can get on https://buddypress.org/ and can be found on the WordPress plugins repository here: https://wordpress.org/plugins/buddypress/

    In WordPress it is best if you don't use the superadmin for day-to-day operations. You should create another account and only use the superadmin when needed.

    Other than that, exposing the username is not a security issue. WordPress itself exposes usernames and there's no problem there.
    If you're worried about hackers trying to bruteforce-attack your site to find out the superadmin's password then you could simply use this plugin to block them: https://wordpress.org/plugins/limit-login-attempts/

    I hope that helps!

    Cheers,
    Ari.

  • Al

    I did not misunderstand anything. I know BuddyPress is not a WPMUDEV plugin. I know it's open source, and I read quite a bit about the history of its development.

    If you look at my question carefully you'll see that nowhere did I frame it as if I am a simpleton who thinks the plugin is yours and the security issue is your responsibility.

    I was just asking a general BuddyPress question, and if asking a general BuddyPress question is not customary at WPMUDEV (which I thought primarily specialized in BuddyPress and Multisite issues) then this is my real misunderstanding, and I shouldn't have subscribed to WPMUDEV in the first place.

    Anyway I was worried about the possibility of a brute force attack, but you put my mind at ease. I installed the security plugin Wordfence which allows you to limit the number of log in attempts.

    Thanks.

  • aristath

    Hello again!

    I'm terribly sorry, in that case I misunderstood your original post!
    You said "You make life much easier for hackers when you expose the superadmin's username." and I thought the "You" was referring to us and was not a generalisation.
    My sincerest apologies. :slight_smile:

    Yes, bruteforce attacks can be safely prevented using WordFence.
    Just a word of cauthion though... Be very careful because I've seen a lot of users get over-excited with that particular plugin and try to make their site over-secure... The result is changes in their htaccess file that make their site completely inaccessible, or block legitimate users. :slight_smile:

    Cheers,
    Ari.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.