[kevvyb]

Hi

I have just installed bbPress on my site. I craeted a test user to see how it works. I was horrified to see that the email included a url for registration that is the admin url I use. I have changed this from the default for reasons of security and do not realy want to be sending out my wp admin login url to everyone who registers on the site. Is there a way around this or is it a wordpress thing?

[Robin W]

bbpress just uses WordPress registration and login.

bbpress then just assigns the default role on first login that is set in Dashboard>settings>forum>roles if you have that ticked, or you can manually assign if you wish.

Therefore you can ignore anything bbpressy on registration and login, and just use anything that WordPress does instead.

This gives you the ability to utilise plugins such as ‘theme my login’ to give yourself a nice registration and login (there are plenty of other good login plugins, just search around).

It looks like you have already changed the default wp urls – which is great and good security practise, so suggest you just don’t use bbpress login shortcodes or widgets, and let wordpress do your registration and login.

Do come back if you need further help

[kevvyb]

Thanks for the very quick reply Robin. And for the tips. Not sure I have been very clear. As you say I have changed my admin login from the default for security reasons. When I received the registration email though (presumably from WordPress?) is showed a link to confirm registration that inlcuded my altered wp login url; I don’t really want to be publicising that to everyone who registers for the forum. Is it possibel to avoid this?

Maybe that I am missing soemthing obvious been at it a while today and need to take a break.

[Robin W]

not quite sure what you want or whether I am mis-understanding?

People need to be able to login, and for that they need a login url, and that will be your altered login url. How else can they log in?

[kevvyb]

Just me being dumb. I sort of got frightened byt eh exhortaions I have seen to change the default login url for security reasons and was extrapolating that this needed to be kept relatively secure! But I take your point!

So the main thing is that it is changed. Making me wonder if I should change it to something that is more recognisable as a login but still pretty unique?

I take it that the login url(s) on this site are database generated? Or will WordPress doa similar thing for our site?

[Robin W]

70% in internet sites worldwide are WordPress ! Every hacker in the world knows how to identify a WordPress site. Probably 90% of sites don’t change the login url, so is this a risk?

The answer is not really.

Every site has to have a login screen, and that is visible to a hacker. If a hacker guesses an ordinary user, then all they get is an ordinary users access, so at worst they can create a post in someone else’s name.

What they are after is the admin user and their password. Then they can install plugins that add files to the site that can be used to say create a sub site that looks like a bank and try and get info from email links. You will have received scam emails with links to dodgy sites where this has been done.

The majority of site owners leave their username as admin, so hackers try and guess passwords based on the site name – so for say the French Horse Society website (if it existed) you might try admin with a password of FHS123 or french01 etc.

In other words they try and guess passwords for sites owners who have set themselves a password they can remember.

If you use a WordPress generated password, then there is no chance that a hacker will guess this or realistically can use software to break the site.

Now hackers use computers to find and target sites – they don’t sit at screens and look at websites.

So if you change your login url, then the ‘robots’ won’t see it, and chances are that they will just move on to another site, rather than search your site for a page that has login on it, but they can do this, so changing the url doesn’t stop this, it just means that you make yourself a lesser target. So it’s a good idea, but not a failsafe

Much more critically you need to have a WordPress generated password for your admins.

I’d also suggest that you look to install the wordfence plugin. This stops multiple attempts to guess password on your site, as well as a load of other security stuff. the free version is fine, and you will get lots of emails from wordfence and some that pester you to upgrade, but it is a great plugin.

Wordfence Security – Firewall & Malware Scan

last of all – don’t get obsessed by this – you website is for you and others to enjoy. Owning a diamond is lovely unless you spend your whole life worried about whether it will get stolen !

[kevvyb]

Hi Robin, Thanks for that bit of perpective on the whole thing. I always use generated passwords for important logins like admin that I could not possibly remember, as you may have guessed! Wordpfence looks like soemthign that woudl replace the plugin I have which is Shield (free version).

From the point of view of users of the site I can see that having a url with ‘login’ in it, makes a sort of sense for those who look at the url.

Thanks again

[Robin W]

no problem, glad to have helped

[Chuckie]

I use bbpress no spam notify plugin where you control the content of each email that is sent out …

[kevvyb]

thanks chuckie

[Robin W]

🙂