Skip to:
Content

BuddyPress.org

Opened 14 years ago

Closed 13 years ago

#1820 closed defect (bug) (no action required)

Add ability to remove/replace/rename default "admin" account

Reported by: dougdaulton's profile doug.daulton Owned by:
Milestone: 1.5 Priority: major
Severity: Version:
Component: Core Keywords: security, hackers reporter-feedback
Cc:

Description

Wondering why we cannot delete "admin" account and replace with an account with a non-standard name (i.e. userfred). There was a security issue in standard WP a while back that saw hackers attacking installs with "admin" as the default account. This prompted removal of default "admin" account on many WP installs.

I tried to hack this in the DB but it looks like BP some how requires "admin" as the username because, while I can login with the renamed account, I do not see the plugins dropdown or other Admin fucntions from the dashboard.

I deleted all cookies to be sure that was not the issue. The non-admin dashboard still appears.

Change History (13)

#1 follow-up: @r-a-y
14 years ago

There's a WP plugin to rename usernames:
http://wordpress.org/extend/plugins/wpvn-username-changer/

I tried it out some time ago on a BP 1.0 install and it worked, haven't tried it since though.

#2 in reply to: ↑ 1 ; follow-up: @doug.daulton
14 years ago

Replying to r-a-y:

There's a WP plugin to rename usernames:
http://wordpress.org/extend/plugins/wpvn-username-changer/

I tried it out some time ago on a BP 1.0 install and it worked, haven't tried it since though.

I can change it in the DB. But, I think there is something in the BP code which is restricting it to admin.

#3 in reply to: ↑ 2 @rvenable
14 years ago

Replying to doug.daulton:

I can change it in the DB. But, I think there is something in the BP code which is restricting it to admin.

Are you using WP or WPMU? If WPMU, did you make sure to set your other username as a site-admin in the WPMU options?

#4 @cnorris23
14 years ago

  • Keywords reporter-feedback added

#5 @apeatling
14 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Nothing in BP stopping this, this would be something that needs to be done in WP.

#6 @piphut
14 years ago

  • Component set to Core
  • Resolution invalid deleted
  • Status changed from closed to reopened

I deleted my "admin" username account some time ago and my administrator-level account username is "piphut". However buddypress created my profile page as having "admin" in the URL, displays "@admin" on my profile page and now users are unable to send private messages to me because the system tries to send the message to "admin" when my username is actually "piphut".

Before the 1.2.4 upgrade I lived with it because the PMs still worked but now that is broken too.

http://piphut.com/members/admin/profile/public/

#7 follow-up: @DJPaul
14 years ago

piphut, the above should only work if there is a user account with user_login=admin in the wp_users db. Can you confirm this please if the record is still in your DB?

#8 @DJPaul
14 years ago

  • Milestone changed from 1.2.3 to 1.3

#9 @owrede
14 years ago

I can't send messages to users and my username is not "admin" (it is "wrede"). I am privileged as a site administrator though.

After submitting the message I get a Forbidden-Error page that points to the URL “/members/wrede/messages/compose” (with two slashes at the end).

Reported here: http://buddypress.org/community/groups/how-to-and-troubleshooting/forum/topic/private-messaging-broke-om-1-2-4/?_wpnonce=a33487ee69#post-55866

#10 in reply to: ↑ 7 @piphut
14 years ago

Replying to DJPaul:

piphut, the above should only work if there is a user account with user_login=admin in the wp_users db. Can you confirm this please if the record is still in your DB?

DJPaul, SELECT * FROM wp_users WHERE user_login="admin" returned zero rows. It does not exist.

#11 @r-a-y
14 years ago

@piphut - Try adding the following in wp-config.php:

define( 'BP_ENABLE_USERNAME_COMPATIBILITY_MODE', true );

It's possible that "admin" is still used in your "user_nicename".

#12 @r-a-y
14 years ago

@piphut's problem is resolved.

@owrede's still exists.

#13 @r-a-y
13 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

I would say it's safe to close this as in WP 3.0 you can change the default "admin" username.

Note: See TracTickets for help on using tickets.