WordPress.org

Forums

Security and public/member-isolation (2 posts)

  1. LostInNetwork
    Member
    Posted 8 years ago #

    I am managing (=tech support) a single collaborative blog with both public and members-only content. The content producers have varying skill levels, and the "customers" belong to three groups (public, member, board). We want to store relatively sensitive information in the members-only and board sections. Access restrictions are thus important. We are using "Role Manager", "Category Visibility" and "Page Restriction" plugins (and soon probably the "Secure Files" plugin), but they do not yet offer sufficient protection.

    Wishes

    1) Rename admin account, possibly(?) randomize admin id at install --> makes local and remote brute force attacks harder

    2) Don't allow login names to be displayed as writers in the blog --> makes local and remote brute force attacks harder

    3) Enforce strong passwords --> makes local and remote brute force attacks harder

    4) Log failed logins to database (date & failures & time of last attempt), block logins after X failures that day, clear counters at successful login or next day (=hours is less than before) --> makes local and remote brute force attacks harder

    5) Secure the file upload directory so that it can be made readable only to logged in members (file permissions can't do that, but maybe some clever rewrite rules and other .htaccess wizardy and script based access control...). An alternative would be database based "secure files".

    6) Give us a built-in tool to administer roles such as public subscriber, partner, member, officials, board, member manager, admin... We need these for (non-profit) organization blogs.

  2. LostInNetwork
    Member
    Posted 8 years ago #

    Update:

    Blocking new login attempts would make DoS attacks really simple. It would be better to add delay to logins after a few failures (oh well, then someone could make 10.000.000 parallel connections...) Some sort of delay would be appreciarted, though. I would happily limit the number of simultaneous connections and add some delay. That would work in our case.

    We need more control here. It may be optinal, but it's still wanted.

    Thanks

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.