[wp-hackers] Possible security patch

Peter Westwood peter.westwood at ftwr.co.uk
Mon Dec 7 13:56:20 UTC 2009


On 7 Dec 2009, at 08:32, Lynne Pope wrote:
>
> Agree with Ian here. Prompting to rename "admin" AND create another  
> account
> for posting, recommending they use the Editor role for that second  
> account.
>
> If there is going to be a prompt it really needs to spell things out,
> otherwise we'll see people creating a second user name ok, with admin
> privileges.
>

I'm not sure I understand the security benefit of renaming the admin  
account.

You don't go round renaming the root account on a UNIX install to  
improve security - you lock the account down with a secure password  
and use it appropriately working as a normal user as much as possible

The process of creating an account for posting could be part of a post- 
install guided process - maybe if you go to the Add New post screen  
you get a message about creating a user to write posts with seperate  
from the admin user with a way to dismiss this message.

I think we need to careful explore the best user experience on this  
before we rush in and do something - maybe we need to work through a  
couple of different wireframes on this.

Peter
-- 
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5



More information about the wp-hackers mailing list