Tuesday, 19 August 2008

#39 - rename your admin account

Always rename your admin account to something difficult to guess. Name it, theJoomlaGod, damina, joesixpack, or anything you want to, but do change it to something other than admin. This is one of the most effective things you can do to protect and secure your Joomla installation.

 

A recent (Aug '08) vulnerability in Joomla 1.5 resulted in a malicious user being able to reset your admin password. A good number of sites got defaced. Funnily enough, our 1.5 websites did suffer the vulnerability, however they were not defaced. The reason for this is that the exploit made use of the fact that most users do not rename their admin account. Thus when this kind of vulnerability was exposed, the hacker just resets the admin password and logs on to the admin account.

Our 1.5 websites did get their password reset, however they were not defaced. This is because the first thing we do after we install Joomla, is rename the admin user to something more sensible, and something difficult to guess. This ensures that most kinds of hacks which target the admin user do not work.

Comments
Search RSS
CanBerra   |Registered |2008-08-29 07:26:47
Joomla is new for me, but as a system/network administrator this makes perfect
sence and is actually, in my line of work, standard practice. It is for the same
reason why on all the servers i manage the administrators account is renamed and
locked, and some abscure name is the actual administrator. An administrators
account is to be used as a last resort anyway. Only to be used if there is no
other way to handle any problem.
Only registered users can write comments!

3.26 Copyright (C) 2008 Compojoom.com / Copyright (C) 2007 Alain Georgette / Copyright (C) 2006 Frantisek Hliva. All rights reserved."
Last Updated ( Wednesday, 01 October 2008 )