ClassicPress PetitionsClassicPress Petitions
This is a read-only archive. Post or comment on the live version of this page on our forums.

New Settings submenu: Security

December 12, 2018 · 19:26 · Daniel Hendricks
Description

I think that it would be nice to have a Security submenu item in settings. It could contain "the basics" that those of us who are paranoid do and/or the reasonable/typical things that popular security plugins do.

I'm not suggesting that you try to duplicate/compete with any given security plugin currently on the market... I'm talking about having some of the basics as checkboxes. Some examples:

  • Remove meta generator tags? (from page head and RSS feeds)
  • Enable XML-RPC? (unticked by default; with help text that briefly describes why you might want/need it, else keep it disabled)
  • Disable File Editing? [i.e.: define( 'DISALLOW_FILE_EDIT', true );]
  • Perhaps an option/button/checkbox to add some of these to .htaccess for the user (but only if Apache is detected): https://codex.wordpress.org/Hardening_WordPress#WP-Includes
  • etc, etc, TBD...
Completed James Nylen
Voters
+43 more
Discussion
Raymund

Security is a very important aspect of any web app. I like basic security settings integrated.

Fabian Wolf

Well, why not? Any security improvements that might need options could be "dropped" in here :)

W.V. Pelyn T. Palarao

This is a good feature for regular no techy user. They have advantage for using this than letting them setup Security Plugin which could end up blocking them from dashboard if setup wrong.

Matthew Sigley

An option for some basic brute force protection would be nice. WP is the most popular target for this type of attack and CP should offer some kind of built in basic protection If it is more security focused.
I wrote a basic WP plugin with the most of these changes that never effect end user use I use for my client site that dont want to pay for Wordfence. It might be a good starting point for these changes:
https://github.com/msigley/WP-Simple-Security

invisnet

> Well, why not?

A better solution is to have a new Security page.

That gives us a page for CP security features, and also gives other plugins and themes somewhere to put their security settings.

There's a research repo for this <https://github.com/ClassicPress-research/security-page> which will soon have something to look at.

Klein

I don't care if it is a submenu or page, but I do agree that security options really need to have their own place.

Wells

The first fix should be to obscure the login error messages. It's completely ridiculous to tell a potential attacker they've entered a valid username but an incorrect password.

For security issues that can't be remedied within CP alone, this page could display warnings about the current (insecure) settings and make recommendations on how to fix them (e.g. forcing admin logins through SSL).

Oxlahun Caban

Basic security is s must!

William Patton

If I disable file editing via a constant I don't want anything in the UI to be able to override or revert it.

Jesse

The problem here is insinuating that security is a "setting" to turn on and off and that its wholly included in the CMS. (It's not, of course.)

Security is a huge, multi-layer concept in web development and stacks, and using the title "security" anywhere in CMS settings does not make sense. If anything, it only misleads users who are browsing their settings...

Should there also be a "Speed" menu? Or a "Marketing" menu? These are macro concepts that cannot be applied to specific software settings. Despite OP's sentiments, it does in fact compete directly with "plugin" branding.

Unfortunately many of the proposals for ClassicPress are a hodgepodge of niche personal whims and not explainable in terms of consistent logic or philosophy as far as a CMS goes; I think much of this needs to be more thoroughly considered and discussed to avoid impulsive code changes...

And as per some of my other comments, let's keep in mind that we are all advanced users, and the success of WordPress is making things easy to understand and use for newbie users (e.g. the UI) while allowing for developers and web hosts to manipulate advanced settings using code-only.