Skip to:
Content
Pages
Categories
Search
Top
Bottom

Change url somehow for admin’s profile?

  • Avatar of synergywp
    synergywp
    Participant

    @synergywp

    Hi,

    As part of security for WP, I think it’s a good idea to keep admin’s info away from any visitors when possible. I.e. don’t use “Admin” for the admin login, but a custom one. I have done this on my site in question, but obviously now with BP installed, someone hovers over my name and goes to my profile and can easily see what my admin username is. They can even see it just in the URL, so disabling view of a username via conditionals won’t work either. Even if I do a redirect from that URL to the main page, well, they still see it on the link when hovered over.. http://domain.com/members/adminexamplename/ And also, I would want people to visit the admin profile anyways, just to see the forum posts, etc.

    Does anyone have any ideas? Thanks.

Viewing 10 replies - 1 through 10 (of 10 total)
  • Avatar of @modemlooper
    @modemlooper
    Moderator

    @modemlooper

    Options:

    Create a new user then give that user admin privileges and then delete the admin account This may delete the content associated with the deleted account.

    Edit database directly. Links may get broken.

    This plugin: http://buddydev.com/buddypress/allow-your-users-to-change-their-username-on-your-buddypress-based-site/

    Avatar of synergywp
    synergywp
    Participant

    @synergywp

    Problem with option 1: the admin will still be active roll on the site… So the new admin account would then be able to be seen. Problem with having the user have admin privileges is someone could still come in and delete any posts, etc.

    When you say edit database directly, do you mean just changing the username? I thought because of the tight integration between WP and BP, the username for BP is the exact field as $user->user_login. So, unless its two different fields, this wouldn’t work.

    I’m seeing that plugin, but its still the same issue I suppose… People will still see the username through hovering over or viewing the profile’s URL…. i.e. your login is modemlooper. Is it not? Mine is synergywp. Everyone knows this, so its just a matter of a malicious visitor getting a password somehow.

    Thanks for the help, but maybe I didn’t properly explain… I don’t want people to be able to see the username, in any way shape or form, of an active admin, but I want the admin to be able to be active in the forums/members list, etc.

    Avatar of @modemlooper
    @modemlooper
    Moderator

    @modemlooper

    I’m not seeing how someone can tell your an admin if the username is not admin. if you change the username to something else the account will just look like any other account. If you are so concerned about someone breaking into your site lock down the wp backend to your home ip address or google some of the options to protecting WordPress.

    Also backup database regularly so you can just reinstall if hacked.

    Avatar of Roger Coathup
    Roger Coathup
    Participant

    @rogercoathup

    @synergywp – I understand where you are coming from re: visibility of username in the url and the consequent reduction in site security.

    It’s a fundamental part of the way BuddyPress sets up the URL structure, but should theoretically be
    possible to rework the rewrite system to implement something more secure. Perhaps in the Facebook style, where user ID in the URL is just a number (until they change it to a preferred name), and does not reveal their login username (an email).

    Would be interesting to get feedback from an informed core developer on this subject — did you check the trac to see if it had been raised before.

    [EDIT: having said all that, is Facebook much more secure? -- if someone knows my email address, they know my username]

    Avatar of @modemlooper
    @modemlooper
    Moderator

    @modemlooper

    `[EDIT: having said all that, is Facebook much more secure? -- if someone knows my email address, they know my username]`

    exactly my point.

    Avatar of Roger Coathup
    Roger Coathup
    Participant

    @rogercoathup

    @modemlooper – I missed where you made that point?

    Avatar of @modemlooper
    @modemlooper
    Moderator

    @modemlooper

    My suggestions for security by other means is saying same thing in a round about way. The username is the least concern IMHO. Exactly THE point I should have said.

    Avatar of synergywp
    synergywp
    Participant

    @synergywp

    Well… I’m running a site that the members would like to know the admin is active on… responding to questions, posts, etc. It would be like coming here and finding the developers never talk on the forums. So, it’s simple… Someone knows 1/2 of the equation to enter my admin account. Just like on here, I know 1/2 the equation to get into your account. I’m not a hacker by any means, but there are others out there who like to do malicious things to sites just for the hell of it. I have customers involved, so if someone hacks my site, that makes me look very bad. That’s all. I just thought I would ask.

    I know in a response you mentioned googling methods to help secure WP. Well, I know from several years ago about making a database edit to the username for the original admin. This was before you could choose the first admin’s username. This made very good sense to me now because now its like you almost need 2 passwords. But now, with the way this is all implemented in BP, and without a work around, changing “admin” to something else is useless.

    The only other thing I can think of would be to just make another account that is an Editor or similar role and only do posts on that. This way they won’t be able to access things like user info, etc.

    Didn’t mean for this to blow up, just thought there might be a simple function to call. thats all :) Thanks for the interest.

    Avatar of synergywp
    synergywp
    Participant

    @synergywp

    Figured it out:

    Hopefully this doesn’t break anything, but i’ve tested it with profiles and it works.

    I looked in the database and changed my specific admin account’s “nicename”… the nicename is there i’m pretty sure for exactly that, a name that plays nice with URLs.
    I’ve made the nicename into ‘adminexample’ while my login remains the same. On the members listings, my url for my profile is ‘adminexample’.

    Success! I think. Does anyone have any ideas why a user’s login and nicename would need to be excactly the same?

    [Edit: just thought of one... If another user makes an account with "adminexample" we could have issues ]

    Finding from Edit:

    Success! I created a new account with the “adminexample” as the username (same as the admin’s account nicename) and it simply created a /members/adminexample-2/ for the profile page. Awesome.

    Now, having figured this out, it doesn’t seem unreasonable for this to be somehow integrated into BP core, but I do realize this could mess up a lot of other plugins. Guess that’s why I’m not a big time developer.

    Enjoy if this helps you. :)

    Avatar of @modemlooper
    @modemlooper
    Moderator

    @modemlooper

    I have a plugin called BP Verified and you could use it identify a normal editor acount as a site “admin” not the WordPress install admin. This would draw attention away from the real admin account.

Viewing 10 replies - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.