EasyEngine Hardening (WordPress MultiSite)


#1

I just realized all of the 22222 admin tools have a default username and password. This is obviously terrifying since I had no idea that by using EasyEngine I was opening myself up to this kind of insecurity by default.

Are there any other similar avenues of attack I should make sure to secure on EasyEngine?

PS: Where is the user data stored for who can log in with what credentials to the 22222 tools? I want to see a list of what names and passwords exist and make sure there are only the entries I am aware of and want there to be.


#2

@Puck read - https://github.com/rtCamp/easyengine/wiki/Admin-Tools

Can you tell me what damage you have suffered because of easyengine default username and password?

There are 3 database related scripts. 2 of them can cause modification and require database password which is not default.

If you are so concern about security, you should read complete documentation for any project you are planning to use!


#3

As you are concerned about security, please read - https://github.com/rtCamp/easyengine/wiki/Secure-Module

Apart form username and password, you can change few more things e.g. restrict admin tools to particular IP addresses.


#4

That’s why I’m here, and I will be reading all of those. I’m running on a test environment atm so no harm done yet.

With humility I offer this strongly worded article in hopes it may be of use to you: http://www.ranum.com/security/computer_security/editorials/dumb/


#5

@Puck I apologize if I sounded inconsiderate to your concerns.

My intention was to advise you to look documentation first before running anything in production environment. As a habit, I not only check docs but also issue-tracker, release-history and few other details about any project.

I noted your link and hope to read it on weekend. I read few lines and the article already sounds interesting. Though I am personally against considering users “dumb”.

In case of EasyEngine, it was built by system admins for system admins to get away with repetitive tasks. I think I missed the point that non-system admins are also using EasyEngine and defaults needs better (more secure) handling.

We will do something about your request (hardening) part soon. :smile:


#6

I just came across this post and read the linked article, and didn’t find any reference to dumb USERS. Dumb ideas, sure, and that can sometimes come from the smartest people.


#7

Hi @Puck

It’s been a long time, and we haven’t heard from you. It looks like your issue is resolved.

I am closing this support topic for now. Feel free to create a new support topic if you have any queries further. :slight_smile:


#8