'@username' for the administrator account – Is this a security problem?

Hi,

I don’t know if i’m being a moron here or just over paranoid but I am concerned about security ie: being hacked.

In my WP/BP setup I am the administrator and I have locked out ALL other users from the admin panel by role. However, my ‘@username’ is displayed publicly within my BP profile along with my display name.

Now if someone wished to hack my site then they are halfway there by having my login username (ie: my @username)?

Should I be concerned about this? What steps can I take to make my setup very secure?

Is there anything I can put in my htaccess to prevent a breach under my @username. Or any other steps to make my site secure?

Many Thanks In Advance :slight_smile:

  • Mason
    • DEV MAN’s Sidekick

    Hiya dekkydog,

    There’s no way to completely hide the username’s in BuddyPress that I know of. Sure, you could make it show the display name in certain areas within the theme and probably create a function so that @mentions use display name, but the username would still be used for profile slugs, etc. The list goes on and on.

    So, if you’re seriously worried about security it may be wise to limit access to wp-admin to your IP Address only. To do this, create a separate .htaccess file in your wp-admin directory on your site and add the following:

    Order Deny,Allow
    Deny from all
    Allow from xx.xx.xx.xx

    Obviously change the x’s to your own IP address. Then you’ll be the only one who can access the admin area. The only thing is that if you travel or have a dynamic IP then you’ll potentially lock yourself out as well (without logging in as root to the server and removing the htaccess file).

    Anyone else have other recommendations here?

    Thanks!

  • dekkydog
    • WPMU DEV Initiate

    Hi Masonjames,

    ok its a simple way of securing the admin login, thanks:slight_smile:

    But yes a little bit annoying that when I’m “on the move” I have to get on my server and re-edit the .htaccess file with my current IP.

    Q) Do you know of any good reading/resources regarding security for WP&BP. I’m not far off going live and I’m looking into making my site secure from the most common threats. I am a bit of a newbie in this area.

    A kind of basic checklist would be perfect?

    Thanks :slight_smile:

  • Mason
    • DEV MAN’s Sidekick

    Hiya,

    I haven’t used that plugin myself, so can’t give you a positive or negative on it. I don’t imagine it will cause any issues due to BuddyPress though.

    I tend to roll my own security methods for the needs of a given project. The htaccess is one of the bets ways to lock things down, followed by having smart folder permissions. The final thing to remember is to use SFTP when logging into the site. Most ‘hacks’ are due to insecure folder permissions or insecure connections when logging into FTP.

    Some more info:

    http://digwp.com/2011/03/htaccess-wordpress-seo-security/

    http://codex.wordpress.org/Hardening_WordPress

    Hope that helps!

  • Timothy
    • Chief Pigeon

    If you are concerned about people know the admin username then you could always delve into the code and make sure it doesn’t display but then you will still have the slug within BuddyPress to deal with.

    You could just create a new Super Admin account, don’t use it for anything but administrating your site. Then use another lower level one for general things.

    That said if your are over concerned about Brute Force attacks then you would want to harden your server fire wall, f5 attacks, etc.

    And use an exceptionally long password, something at least 32 characters long and a good mixture of chars.

    Take care.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.