MyBB Community Forums

I'd like to see the ability to completely hide a user or usergroup. This is for security reasons.

Right now, it is easy to find the username of the forum admin. That is one less detail a hacker needs to start digging. Sure you can hide the admin group from the forum team page, but it still shows in the memberlist.

You can make a change to the memberlist to exclude the admin group rather easily, but everyone knows that UID 1 is the original admin as set during install and most folks don't change that, so it's easy to get the username by directly browsing to the profile page and setting UID=1.

I'd like to have the option to completely hide any user listed in the $config['super_admins'], such as no profile view, no forum team page, no memberlist, no WOL, etc.

It's easy enough to create a second user for actual posting and public interaction so it would be nice to make selected users totally invisible.

I like the idea

Just to play against it, however, wouldn't it still be rather easy to run a script that checks all UID's and reports the missing ones? Then all a hacker would need to do is run through and check which accounts are valid accounts, which are "missing" (deleted", and which are neither - hidden in this case.

Could this be better implemented by simply having an alternative login for ACP access that isn't directly tied to a forum account, but rather has It's own username / passwword?

pavemen +1

Im pretty sure there's a plugin for this, if I remember rightly during a hacking attempt we used it at a forum I worked at.

Definitely a good idea in my opinion.

And Craig, maybe the devs could spoof the UIDs as well.

Yes that would be great like I could hide "admin" user.

Even though my admin account is UID 1 it has ALL of its admin permissions deactivated. I do all administrative work through a secret account with a unique UID and name (typical username). Thus if anybody successfully get access to UID 1 it'll be worthless because the real admin account is hidden amongst the masses.

(2012-03-11, 01:14 AM)Mebes Net Wrote: [ -> ]Even though my admin account is UID 1 it has ALL of its admin permissions deactivated. I do all administrative work through a secret account with a unique UID and name (typical username). Thus if anybody successfully get access to UID 1 it'll be worthless because the real admin account is hidden amongst the masses.

Best security out there.

(2012-03-11, 01:14 AM)Mebes Net Wrote: [ -> ]Even though my admin account is UID 1 it has ALL of its admin permissions deactivated. I do all administrative work through a secret account with a unique UID and name (typical username). Thus if anybody successfully get access to UID 1 it'll be worthless because the real admin account is hidden amongst the masses.

hard to do when you are starting out and not a huge amount of members to choose from. for a totally new user that is just getting started, not a huge target, but a new site from an known big user can be a target. Sure user/pass combinations are different, but often the sites are on the same server as the bigger target and the new site may be another way onto the server.