Plugin Author
Paul
(@paultgoodchild)
Frankly I think one of the first things you should do is get rid of the primary admin user. That would by itself change the ID of the admin.
I also don’t see the security implication of the admin ID.
Programmatically I can load any WordPress user by its ID and it will take a few second to run through a while loop until I find the ID of an admin user.
What you need is good user verification protection – which this plugin provides – so the ID of the admin user is irrelevant.
Changing admin ID is frankly useless – I’m happy to be shown otherwise though.
Hi Paul.
Thanks for the reply and a great plugin.
It’s a tricky one. I’ve been reading a few blogs and watching WordCamp presentations on Security, and a few recommend changing the Admin ID.
Here is one example.
http://www.wpwhitesecurity.com/wordpress-security/change-wordpress-administrator-id/
However, I’m not clear if it’s really ‘best practice’
Plugin Author
Paul
(@paultgoodchild)
It’s for things like this I created our own security plugin.
There’s a lot of talk about a lot of things, but in reality, it’s mostly noise, and the majority of it all is lots of people repeating what others have said because it sounds neat. But no-one really digs deeper.
Take the example in that website: http://www.wpwhitesecurity.com/?author=1
That doesn’t work because they’ve changed their ID. So they’re secured, right?
But what is to stop me doing this:
http://www.wpwhitesecurity.com/?author=2
http://www.wpwhitesecurity.com/?author=3
http://www.wpwhitesecurity.com/?author=4
http://www.wpwhitesecurity.com/?author=5
.. and so on until I find one that works. I can write a script to do that in 5-10 minutes.
At that point, changing your ID doesn’t matter since it’s ultimately discoverable anyway.
What this does highlight though, is that preventing that discovery pathway might be the far cleverer thing to do. But then, what compatibility issues do you run into there by blocking the ?author=x query?
Our plugin is not about checking boxes to compete with other security plugins, but to implement clever security and obscurity mechanisms that do a good job. Our plugin isn’t in competition with the other security plugins.
They’re all in a race to see who can load up with the most features and sound more secure. Rather, we’re about putting into place mechanisms that secure your WordPress site, and questioning the legitimacy of certain security “settings”. Something that has gotten lost along the way I feel…
I shall now end my small rant š
Thanks for a great reply. The reason I prefer Simply Firewall over the others is for that very reason. This question was the only point that I needed clarification on.
I’m happy you had the chance to share this information as I’m sure there are others that are wondering the same. Sadly so many people just uninstall instead of asking.
Regards,
Charlie
Plugin Author
Paul
(@paultgoodchild)
Great, glad you’re on board! š
If after using the plugin for a while you’re happy with it, could you leave us a nice review? š
Cheers!
Plugin Author
Paul
(@paultgoodchild)
Just to let you know, with version 4.9.6 I’ve added an option under Lockdown->Obscurity that will attempt to block the ability to find a username when the author=N query is used.
This may cause issues for certain scenarios and sites, but it’s there as an option.
Excellent work. I’ve posted my review.
Plugin Author
Paul
(@paultgoodchild)
Great, thanks for that.
The current implementation to prevent username fishing by ID works, but there is a slight flaw in it. The next release will have an improvement to it.
Hi Paul
Someone little sneak has guessed my admin name ā which is not difficult but bearing in mind that both the name and the avatar are in a number of places on t’Internet I want to create a new admin user. However, I am unable to create a new user of any kind ā on clicking ‘add new’, I get to the screen to create it but when I do and return to main user panel it isn’t there. Is there something in the Firewall settings that could be preventing me adding a new user?
Just to update you Paul, I’m afraid it was the lose screw on the end of the mouse. I tried to use the same email address as the existing admin user and that’s why it wouldn’t let me create the new one. Lord I bet you hate people like me!
Posted in new post
Hi Paul
How would someone trying to hack my WP site have my name and email address? They have both been used as login names by someone. They don’t appear on my site.
