Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
Maxim Vetrov2015-12-01 18:29:07
Information Security
Maxim Vetrov, 2015-12-01 18:29:07

Why remove the Wordpress admin?

I read an article on security on Habré:
"Under pressure. We break and protect Wordpress with our own hands"
habrahabr.ru/company/xakep/blog/259843
The article recommends removing the admin:

By default, WordPress assigns each user a unique ID, represented as a number: example.com/?author=1. By sorting through the numbers, you will determine the names of the users of the site. The admin account, which is created during the WordPress installation process, is number 1, so it is recommended to remove it as a protective measure.

So the question is: what is the "protective measure" in removing the admin?
Okay, let's say you deleted an account named "admin". Of course, before that, you will create a second user, to whom you also assign all rights on the site. Now, I go to your site using the link example.com/?author=2, example.com/?author=3 and so on. That is, I identify all users of the site (and the admin and editors). Now nothing prevents me from starting the selection of passwords for the found logins. And I can order a brute from professionals who involve more than one hundred machines in this. So what? So I repeat my question: what is the "protective measure" in removing the admin?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
M
Mr Crabbz, 2015-12-01
@Punkie

Now, I go to your site using the link example.com/?author=2, example.com/?author=3 and so on.

If a person is worn out over the removal of the admin, then will he really leave those same "author" pages?
We put protection on them from viewing - and let them brute to health)

Report
A
Alexey Nikolaev, 2015-12-01
@Heian

In my opinion, this is pointless and more like a crutch than a working protective measure. From the same category - name the directory with the admin panel not /admin, but /adminpanel. Dealing with the consequences, i.e. with the weak protection of the core of the system, and not the strengthening of the protection of this very core.
If the system has protection against brute force and DDOS (or a block in htaccess via htpasswd to login \ admin addresses) and the administrator uses good passwords (and not his date of birth, for example), it makes no sense to change or delete any accounts.
WP is a good engine, and there are very good plugins for it, which, for example, block the account for half an hour after 5 login attempts. Yes, and security updates for WP come out quite often.

Similar questions
S
StrangeAttractor2015-12-05 20:29:06
What are the solutions for encrypting communications between a website and a client without using HTTPS? 2Reply
P
Puma Thailand2012-09-07 16:53:30
How do you protect your linux servers? 8Reply
I
igivanov11112021-08-05 11:29:15
How to set up port knocking on Windows Server? 4Reply
W
WebDev2018-04-19 11:33:37
Is such authorization secure? 1Reply
J
JewrySoft2020-05-25 16:23:59
How to get a digital footprint from a user in a bot? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question