Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+1 vote
787 views
in Q2A Core by

I'm just wondering whether it makes sense to hide the super administrator from the user page (or at least to change the information about the role to something unsuspicious) and/or to remove the profile page so that it would be harder for attackers to guess the username - password combination. I know this recommendation from Wordpress installations and according to my own experience these attacks indeed first try default admin names. Q2A doesn't seem to have a default admin name, but it could be easily retrieved by scanning the user profiles.

I am aware of the option to allow only email addresses for login, but this would probably affect all users, not only the admin. Another option would therefore be to allow for admin login only the email address (while allowing also usernames for other users).

The question might possibly also be relevant for editors etc.

Q2A version: 1.6.2

1 Answer

+2 votes
by
 
Best answer
I don't think bruteforce is possible in Q2A's login page. because Q2A will automaticaly limit number of login requests. meaning user(or bot) can only try loging in a limited number if times.

if bot can only try 20 passwords in an hour it will take years for it to brutefore simplest passwords. even if it uses proxies with hundreds of IP addresses it will still take to long to be worth trying.

* you can set how many times a user can try to login in an hour in "admin > spam" page.
...