[wp-hackers] Possible security patch
Nathan Rice
ncrice at gmail.com
Mon Dec 7 14:11:22 UTC 2009
If the suggestion is to leave the admin account intact (and hardened with a
strong PW), but create a separate account with decreased privileges for
posting, then might I suggest letting both accounts have the same email
address? It's really frustrating to have to figure out an alternate email
account to use with one or the other WP accounts.
I still don' think this method properly accounts for a username being
clearly visible from all over the place. Letting users control what gets
used seems like a decent way of making brute-force attacks just a little bit
harder for bots to crack.
------------------
Nathan Rice
WordPress and Web Development
www.nathanrice.net | twitter.com/nathanrice
On Mon, Dec 7, 2009 at 8:56 AM, Peter Westwood <peter.westwood at ftwr.co.uk>wrote:
>
> On 7 Dec 2009, at 08:32, Lynne Pope wrote:
>
>>
>> Agree with Ian here. Prompting to rename "admin" AND create another
>> account
>> for posting, recommending they use the Editor role for that second
>> account.
>>
>> If there is going to be a prompt it really needs to spell things out,
>> otherwise we'll see people creating a second user name ok, with admin
>> privileges.
>>
>>
> I'm not sure I understand the security benefit of renaming the admin
> account.
>
> You don't go round renaming the root account on a UNIX install to improve
> security - you lock the account down with a secure password and use it
> appropriately working as a normal user as much as possible
>
> The process of creating an account for posting could be part of a
> post-install guided process - maybe if you go to the Add New post screen you
> get a message about creating a user to write posts with seperate from the
> admin user with a way to dismiss this message.
>
> I think we need to careful explore the best user experience on this before
> we rush in and do something - maybe we need to work through a couple of
> different wireframes on this.
>
> Peter
> --
> Peter Westwood
> http://blog.ftwr.co.uk | http://westi.wordpress.com
> C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list