Hey @chiefalchemist
You’re right to keep this sort of thing in mind when it comes to securing your site. Take a look at some of these plugins which provide two-step authentication:
https://codex.wordpress.org/Two_Step_Authentication#Plugins_for_Two-Step_Authentication
The short answer is that WordPress itself doesn’t consider the username to be sensitive data. Using strong passwords and using two-step authentication via a plugin are good recommendations.
WordPress might not, but that doesn’t make it right, does it? 🙂
Perhaps its just my comp sci education but a good DBA will tell you never have a field do “double duty” it can only lead to bad things.
A login name, and a communication / mention name are two very different properties. Two-step or not they really should be doing double duty.
Note: I’m not being a critic. That’s not my thing man 🙂 Just pointing out that a reasonable DBA would frown upon the current approach – especially in the content of the @mention of BP.
Whilst you’re completely right in what you say (WordPress actually encourages site administrators to use a different username to “admin’), this sort of thing is hard to avoid. Facebook, Twitter and the like all allow users to login with their username which is easily guessable after visiting that particular user’s profile page. Don’t forget though, user permissions are usually basic. However, what *should* be avoided is exposure of the administrator’s username. If a hacker were to gain access to such an account, then they could do far more damage. For this reason, the admin account is likely to be more of a target in any brute force attack than a standard ‘member’.
My advice would be, change your administrator account username to something obscure and don’t tell anyone that particular member is the admin.
I would also add a plugin that limits login attempts. This would prevent brute-force password attempts from happening.
@r-a-y Theme My Login provides that functionality if the security module is enabled. I’ve used it and it seems to work quite well.
Ref: https://wordpress.org/plugins/theme-my-login/
@henrywright – Yup. I hear ya. I just think in the spirit of weekly WP Security issues – which yes are quite often bad plugin code but none the less effect perception of WP – a bit more attention to detail would be nice. That is, the best practice would at least be to make it an option. Unless of course we’re talking about brain surgery then maybe I’ll just hope a couple aspirin and hope for the best 🙂
While I’m sure BP is flattered that you compare it to FB I’m not so sure that helps the rest of us who don’t have Mark Z “f*ck you” money to pay people to fix holes. That’s all 🙂
And thanks for Theme My Login, I’ll check that out. I hate testing new plugins only to find out they suck. Recommendations are always a bit plus. Cheers.
@ChiefAlchemist I agree with alot of what you said above, however i havent tested 2.1 yet as im still on 2.0.3, i am a little bit wary of updating at the min after reading various problems already cropping up for people. but surely the best way around this would be to let the new @ mentions only show users friends?
I mean if you could only show friends when mentioning someone then the admin account would never be visible to anyone unless the admin started adding friends lol, if you wanted to mention someone that was not your friend you would have to just type ther full username? what do you think?
Infact i would prefare it only to visibly show my friends when mentioning someone instead of the whole site members lol, this way if you was mentioning someone that wasnt a friend you would have to know exactly who you wanted to mention like i just did with you.
so to sum up what i just said.
1. auto suggest should only show friends
2. mentioning someone outside of you friends should require you to know exactly who you wanted to mention
@mcpeanut
Agreed, this is far from ideal. I mean, even if you have users who are not admin but not subscribers either (e.g. editor), there’s at least some risk at the non-admin level. The obvious ideal would be to not use the user login credentials as user name. This is especially true if – for some reason – you want to use email address as user name.
Listen. I realize ANYTHING can be hacked if someone is up for the task. I’m simply suggesting trying to mitigate such risks.
Finally, let’s be honest, FB makes compromises because it’s not as interested in security as it is getting new users to sign up and then harvest as much personal details as possible. This is a flaw that WP / BP could be using to its marketing advantage if it wasn’t willing to follow the blind. Being alone is better than following and being wrong. At least that’s what mum always said 😉
I think you guys have a point and agree almost fully with what you say. Where my own personal view may differ slightly is on using usernames as login credentials. I think it’s acceptable for the following reasons:
- As you’re aware, as with any system that requires user access, things are a trade-off. Security has to be balanced against usability. A completely secure system will deny all access, period. However, that system wouldn’t be useful to anyone. Whereas a completely usable system wouldn’t require authentication. But that would be totally insecure. As you can see there needs to be some middle ground
- Allowing username and password access (instead of email and password access) makes it easier for users to login, which makes a system more appealing to use because users gain access quicker and don’t need to type their long email addresse
- Standard member accounts have limited privileges, so even if a breach occurs, limited damage can be done
That said, as I said earlier, administrator accounts shouldn’t be labeled as such on the front end and should ensure the username is obscure (i.e. not admin). And regardless of the user account in question, strong passwords should be encouraged.
That’s my own personal take on it. I’m sure lots of people would be able to point out many more drawbacks (and advantages) of doing things this way
