[wp-hackers] Su for WP: wp-su (Was: Possible security patch)

Dion Hulse (dd32) wordpress at dd32.id.au
Sun Dec 6 05:21:14 UTC 2009

I thought of the same thing. And in the end, I thought, If i dont try,  
it'll never happen.

Ultimately, Those who use it will be someone who's had WP installed by  
someone else, Or have googled on how to keep their installs secure i  
think.. Originally it was more of a POC, but after talking to a few people  
about it, they saw the benefit of it.

I myself, Do not actually abide by most of those security rules i listed..  
So i know theres definately a chunk of users out there for it :)

On Sun, 06 Dec 2009 16:09:18 +1100, Steven Rossi <SuperMoonMan at gmail.com>  

> Sounds like a cool plugin which will certainly serve its purpose for  
> users
> that install it. The problem it might run into is that
> getting-people-to-use-it part. People that know how this stuff works well
> enough to realize they should be using something like this are probably
> already using something like this--or at least being smart about their
> usernames/passwords. Because really, something like this is definitely an
> inconvenience, despite it providing valuable security. If you could get  
> the
> message of the importance of this out there, I totally support your  
> plugin.
> Steven Rossi
> http://www.letsmovetothemoon.com
> http://www.stevenjrossi.com
> http://www.twitter.com/supermoonman
> On Sat, Dec 5, 2009 at 11:55 PM, Dion Hulse (dd32)  
> <wordpress at dd32.id.au>wrote:
>> On Sun, 06 Dec 2009 15:29:44 +1100, Ian Stewart <ian at themeshaper.com>
>> wrote:
>>  The correct solution probably is to avoid
>>> using the admin account for posting. I'd argue though that most people  
>>> do
>>> use the admin account for posting and will continue to whether or not  
>>> it
>>> is
>>> the correct solution. Even if they know it's the correct solution. Just
>>> like
>>> people choose to use weak passwords
>> I've been working on a plugin the past few days for that exact reason,  
>> That
>> a lot of users just use a Administrative account..
>> The idea? Wp-Su
>> Put simply, It adds an extra line of security to WordPress, No longer do
>> you have an Administrative account, You have an account with minimal
>> privledges -  Enough to let you write posts, edit posts, and do the  
>> majority
>> of what you would do..
>> But in the event that you wish to change a blog option, Theres no need  
>> to
>> log out and log into the admin account, Just hit the Su link, Type in  
>> the
>> extra password (Which can(should) differ from you user account  
>> password),
>> and all the administrative features are open (For a predetermined time,
>> 5minutes? 15, 30minutes).
>> I've had some people ask me flat out, Whats the point. Just use a Editor
>> account. OR Why? Arnt people just going to sniff the Su password as  
>> well?
>> I came up with a simple list for that:
>>  1. Users should never use accounts which have more privledges than they
>> require
>>  2. Users should only ever log into administrative accounts on
>> computers/networks they trust 100%
>>  3. Users should never use the same password for everything
>>  4. Majority of keyloggers are generally only targetting User/password
>> combinations
>> How many people know of a user who doesnt follow 1-3?
>> How many people know of a bank which no longer uses a username and  
>> password
>> combo? And instead, Has an extra layer of security (Picture password for
>> example, or SMS)? - Pretty much all of them.
>> Currently.. My plugin is unreleased, However, will be out by the time  
>> 2.9
>> ships, will require WP 2.9, and whilst the UI integration isnt as good  
>> as
>> i'd like (due to WP shortcomings in filters at present), Uses a extra  
>> text
>> password (instead of Pictures/phrases/whatever), and is presently  
>> mainly a
>> proof of concept.
>> Right now, The user enables the plugin, Selects which roles should have
>> access to a Su environment, and select which caps should be protected  
>> by Su
>> use (ie. Plugin, Blog, Theme and User options/edits should only be done  
>> by
>> Su users, However Post publishing, page editing, etc can be done by a
>> "normal" user).. I'm hoping to extend that to have a short wizard which
>> prompts to user to set it up properly before release however.
>> Thoughts? Anyone want the Beta? (Email me off list please - It could do
>> with some security testing before release.. Not sure i got the User  
>> Cookie
>> 100% right)
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

More information about the wp-hackers mailing list