Removing the backlinks to wordpress.com from the backend (in the upper right corner, beneath the “help” section), especially in the profile.
A “mandatory cookie notice” plugin in the ClassicPress library. It’s a mess with the WordPress plugins, really.
A plugin to change the Login Url, safely. Meaning: we can test the new Url without leaving the backend, log out to the start page (not to the new Login Url) and no backlinks to whatsoever.
an option in the ClassicPress system itself, or a plugin that places also the username / email adress under the protection of encryption. I know, this would be unusual, but the hint is: if we can encrypt it and there is no problem - why not?
Re 1: You mean WP org. Replacing all of them may take (quite) some time, as the CP docs do not cover each topic yet. That’s why those links to WP org are still there..
@windmill about the cookie notice it is better to have a plugin, yes. it’s not directly a core feature. As of now I am however using CookieYes and it suits my needs.
As concerns changing login url, there are safety plugins in the WP repo that do that and work
encryption of username and email - I can understand why you suggest that but in most cases (simple blogs or websites that do not allow registration) that might be too far including in core. a plugin would be better.
Changing the login URL doesn’t really add much security. These days it’s done more for cosmetic reasons: to make the login page look like the rest of the site.
Encrypting the email address by default would cause significant problems. For example, how would the system know where to send a reset password request email? And, ironically, it would block the most popular form of MFA, which is a genuine security hardening process.
Hi ElisabettaCarrara, timkaye, Ciprian.
Sorry for taking part of the debate a little late, the recent days were a litte busy.
Regarding encrypting / hiding user name resp. email adress:
All websites and everyone who is involved in activities of public interest (and that of certain agencies / corporations) have priorities and opinions of their own. As far as I’m concerned: I am using an email adress that doesn’t exist ( so, no reset password request email anyway) to have three levels of privacy / security, even against actors also who place templates in front of known login URLs to intercept the data.
unknown user name
unknown login URL
unknown password (as mentioned, my websites use 4096 bit encryption)
a simple solution, to the satisfaction of everyone: a “show/hide” option for the user name / email adress.
Now, why changing the login URL anyway?
Well, if you were a spy, digital mercenary, hacker, whatever and you are contracted, have been tasked for or ordered destroying, neutralizing resp. hacking a website, medium, portal, there are mainly to ways to do that:
via the login
on the server side.
Leaving the server / host situation aside (which is kind of fun enough, once in a while), you only can start attacks against the castle gate if you know where it is.
And getting rid of REST API data output, or the digital lasso XML-RPC by hiding the login is, from my perspective, a win (I have deactivated both anyway).
A classic business website may see this completely different.
So, without interfering in anyone’s habits: it would be really nice to have a ClassicPress plugin that conceals my login.
those changes should go in a plugin, not everyone needs a hard security like they are running a secret service. if a site has no registration enabled this means only the admin account can be hacked (re: login form) and a plugin that does all the above protects it without touching core.
@windmill You grossly underestimate the ability of scammers to find a place to login. The rest, as it seems you recognize, should go in a plugin. If you’ve already got code doing that, you’re welcome to build it yourself and submit it to the CP Directory.