Suggestion: Alternative Username other than 'Admin' for Wordpress
-
Hi,
A Feature suggestion please:I installed wordpress on cloudron and found the first user to be 'admin' (users handled by app) - I manually added another administrator user and deleted the first one.
May I suggest that the first administrator username be something different since bruteforce attacks try 'admin' first before anything else.
This could be a good practice. Just my 2 cents.
Thanks!
-
Hi,
A Feature suggestion please:I installed wordpress on cloudron and found the first user to be 'admin' (users handled by app) - I manually added another administrator user and deleted the first one.
May I suggest that the first administrator username be something different since bruteforce attacks try 'admin' first before anything else.
This could be a good practice. Just my 2 cents.
Thanks!
@jagan I second this, as a cyber security consultant, you wouldnt believe how many sites are hacked due to the name being admin, or something in the url. Perhaps cloudron-admin, or even better, have the admin name set post install with instructions on a good way to choose a strong name.
-
Thanks @deepeyes and @jagan . Currently, it is
adminbecause that username is specifically reserved by the Cloudron (i.e you cannot have a Cloudron username calledadmin).I can think of two things that we can easily fix immediately:
- Add a note that this user can be deleted in the post installation dialog
- We are already looking to auto-generating passwords for each installation (instead of having a standard default). This prevents cases where the user forgets to change the default password.
-
Thanks @deepeyes and @jagan . Currently, it is
adminbecause that username is specifically reserved by the Cloudron (i.e you cannot have a Cloudron username calledadmin).I can think of two things that we can easily fix immediately:
- Add a note that this user can be deleted in the post installation dialog
- We are already looking to auto-generating passwords for each installation (instead of having a standard default). This prevents cases where the user forgets to change the default password.
@girish Even the "changeme" note might be good enough.
-
Can we use the email as the admin user please?
@jagan what do you mean by this? Just delete admin user and create another however you want, no?
-
Yes, that is what I presume 99% of all our users do, but isn't this an extra step that can be avoided by having something else as the default admin user instead of 'admin'?
I mean, if cloudron wizardly can help with a simple workabout as a best practice, it would be great.
We can use the email - domain.app@cloudron as the username if that is possible without much work.Sure, this is not a 'must have' thing, just a desirable one.
Thank you!
Edit: I am seeing an increase in brute force attacks trying to use 'admin' as username across many sites. That is what prompted me to revisit this feature request.
-
Yes, that is what I presume 99% of all our users do, but isn't this an extra step that can be avoided by having something else as the default admin user instead of 'admin'?
I mean, if cloudron wizardly can help with a simple workabout as a best practice, it would be great.
We can use the email - domain.app@cloudron as the username if that is possible without much work.Sure, this is not a 'must have' thing, just a desirable one.
Thank you!
Edit: I am seeing an increase in brute force attacks trying to use 'admin' as username across many sites. That is what prompted me to revisit this feature request.
@jagan I think WP requires some username. It's not possible to create a user with just email address. We can change 'admin' to something else, but the script kiddies will just add that username as another option.
-
Yes, a username is mandatory requirement. My idea did not get through, let me try again please.
On some platforms, the email and the username are automatically set to be the same.
This is not ideal, although the email would be unique.However for cloudron, please consider this:
On Cloudron, the system already generates a 'From Email' on its own.
I wish to propose that this email or the first part of it (before @) be used as the username.Mail FROM Address
Anything but 'admin' would be great.
