Security and public/member-isolation
I am managing (=tech support) a single collaborative blog with both public and members-only content. The content producers have varying skill levels, and the “customers” belong to three groups (public, member, board). We want to store relatively sensitive information in the members-only and board sections. Access restrictions are thus important. We are using “Role Manager”, “Category Visibility” and “Page Restriction” plugins (and soon probably the “Secure Files” plugin), but they do not yet offer sufficient protection.
1) Rename admin account, possibly(?) randomize admin id at install –> makes local and remote brute force attacks harder
2) Don’t allow login names to be displayed as writers in the blog –> makes local and remote brute force attacks harder
3) Enforce strong passwords –> makes local and remote brute force attacks harder
4) Log failed logins to database (date & failures & time of last attempt), block logins after X failures that day, clear counters at successful login or next day (=hours is less than before) –> makes local and remote brute force attacks harder
5) Secure the file upload directory so that it can be made readable only to logged in members (file permissions can’t do that, but maybe some clever rewrite rules and other .htaccess wizardy and script based access control…). An alternative would be database based “secure files”.
6) Give us a built-in tool to administer roles such as public subscriber, partner, member, officials, board, member manager, admin… We need these for (non-profit) organization blogs.
- The topic ‘Security and public/member-isolation’ is closed to new replies.