Skip to:
Content
Pages
Categories
Search
Top
Bottom

Security Concern


  • CSCLEGAL
    Member

    @csclegal

    Just curious if there is a way to remove the username from my public profile as the ADMIN. This to me is a security concern since I am then providing half of the access information to the world!

Viewing 9 replies - 1 through 9 (of 9 total)

  • chrishajer
    Participant

    @chrishajer

    Not sure if this is spam or not, but you are in control of your username when you register. Register with a name that you are comfortable sharing with the world.

    In fact, if I delete this one post, no one will ever know there is a profile here for you unless they can guess the name.


    _ck_
    Participant

    @_ck_

    I think they mean where the admin is hidden on a system so the account is not a target to get hacked.

    On each post, bbpress shows your level.

    You can just create a different account to post with and another to administrate.


    CSCLEGAL
    Member

    @csclegal

    I mean like on this page: http://bbpress.org/forums/profile/chrishajer

    Your username to login is chrishajer ? Just want to be able to disable the visibility of the “username” as I feel this compromises security a bit.


    _ck_
    Participant

    @_ck_

    Ah you mean you want to work under the display name in 1.x

    The problem is the user functions in bbpress work with user login or the user id.

    Security via obscurity never works for long.

    But you’re probably working under user id # 1 which is also a potential security issue as it gives hackers a target.


    zaerl
    Participant

    @zaerl

    Just want to be able to disable the visibility of the “username” as I feel this compromises security a bit.

    You can hide it with a plugin but the user login is still in the URL:

    bbpress.org/forums/profile/chrishajer

    With a plugin of mine you can hide profile pages but it hide the entire page. Or in other words it spawn an error page with a custom message. I don’t think this is what you need.


    chrishajer
    Participant

    @chrishajer

    How is this a security concern? I don’t get it.


    _ck_
    Participant

    @_ck_

    It’s a point of attack.

    The idea of hiding the user id or user login for admin is an old security suggestion that is still around.

    Because like wordpress there is no limit of password attempts, someone can do a dictionary attack against the user name or knowing the id they can try to find holes in the API.

    So by hiding it, it’s just a little harder.

    IMHO this would be not worth the effort and break too many things.


    chrishajer
    Participant

    @chrishajer

    I get it now: half the access information, i.e. the username. The password being the other half. Rather than break things, I’d probably lock down bb-admin using some of the WordPress security tips.


    _ck_
    Participant

    @_ck_

    I’d venture a guess that 99% of the WP security violations over the years have not been via login hacks. There are plenty of other ways to get in.

    They don’t even bother to protect the file that contains the MySQL password in plain text!

Viewing 9 replies - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.