I think that it would be nice to have a Security submenu item in settings. It could contain “the basics” that those of us who are paranoid do and/or the reasonable/typical things that popular security plugins do.
I’m not suggesting that you try to duplicate/compete with any given security plugin currently on the market… I’m talking about having some of the basics as checkboxes. Some examples:
Remove meta generator tags? (from page head and RSS feeds)
Enable XML-RPC? (unticked by default; with help text that briefly describes why you might want/need it, else keep it disabled)
Disable File Editing? [i.e.: define( ‘DISALLOW_FILE_EDIT’, true );]
Perhaps an option/button/checkbox to add some of these to .htaccess for the user (but only if Apache is detected): Hardening WordPress « WordPress Codex
etc, etc, TBD…
Read-only archive : Issues · ClassicPress/ClassicPress · GitHub
Author : Daniel Hendricks
Vote count : 49
Status : completed
Tags :
Comments
This is a good feature for regular no techy user. They have advantage for using this than letting them setup Security Plugin which could end up blocking them from dashboard if setup wrong.
~ posted by W.V. Pelyn T. Palarao
An option for some basic brute force protection would be nice. WP is the most popular target for this type of attack and CP should offer some kind of built in basic protection If it is more security focused.
I wrote a basic WP plugin with the most of these changes that never effect end user use I use for my client site that dont want to pay for Wordfence. It might be a good starting point for these changes:
GitHub - msigley/WP-Simple-Security: Simple Security for preventing comment spam and brute force attacks.
~ posted by Matthew Sigley
Well, why not?
A better solution is to have a new Security page.
That gives us a page for CP security features, and also gives other plugins and themes somewhere to put their security settings.
There’s a research repo for this https://github.com/ClassicPress-research/security-page which will soon have something to look at.
~ posted by invisnet
The first fix should be to obscure the login error messages. It’s completely ridiculous to tell a potential attacker they’ve entered a valid username but an incorrect password.
For security issues that can’t be remedied within CP alone, this page could display warnings about the current (insecure) settings and make recommendations on how to fix them (e.g. forcing admin logins through SSL).
~ posted by Wells
The problem here is insinuating that security is a “setting” to turn on and off and that its wholly included in the CMS. (It’s not, of course.)
Security is a huge, multi-layer concept in web development and stacks, and using the title “security” anywhere in CMS settings does not make sense. If anything, it only misleads users who are browsing their settings…
Should there also be a “Speed” menu? Or a “Marketing” menu? These are macro concepts that cannot be applied to specific software settings. Despite OP’s sentiments, it does in fact compete directly with “plugin” branding.
Unfortunately many of the proposals for ClassicPress are a hodgepodge of niche personal whims and not explainable in terms of consistent logic or philosophy as far as a CMS goes; I think much of this needs to be more thoroughly considered and discussed to avoid impulsive code changes…
And as per some of my other comments, let’s keep in mind that we are all advanced users, and the success of WordPress is making things easy to understand and use for newbie users (e.g. the UI) while allowing for developers and web hosts to manipulate advanced settings using code-only.
~ posted by Jesse