Hidden Admin Authors plugin

Automated attacks are a constant problem for WordPress. The Hidden Admin Authors plugin provides a layer of security by hiding website administrators.

Details for the Hidden Admin Authors plugin

Plugin name: Hidden Admin Authors plugin
Status: Release candidate
URL: https://github.com/jwrobbs/jwr-hidden-admin-author
License: DBAD

Problem solved

The Hidden Admin Authors plugin does 2 things:

  1. Disable the User Rest API endpoint
  2. Reassign any posts authored by an administrator to another user

This should completely hide administrator accounts. While you could hide all accounts, this gives the bad actors a target – a honeypot. The How it works section will explain how.

How it works

Note: The Hidden Admin Authors plugin uses my options panel plugin and ACF Pro.

Set up

  1. Install and activate the plugins
    1. ACF Pro
    2. JWR’s Control Panel
    3. Hidden Admin Authors
  2. Create a new user. This is a dummy user that no one will ever use but will be publicly available as an author.
    Set it to “contributor” and set the name to whatever you want to be displayed. Pay attention to the User ID. You’ll need that in the next step.
  3. Go to JWR’s Control Panel (that really needs a better name)

    1. Add the User ID to the Substitute Author ID field
    2. Ensure that Disable Users REST API is set as you desire
    3. SAVE it

Behind the scenes

If selected, the User REST API endpoint should be immediately disabled.

As for the authorship updates, that happens on save. When a post is saved, a script checks the author’s role. If the author is an admin, the post’s authorship will be assigned to the dummy user.

Honeypot

Anyone who attempts to log into the dummy account is a bad actor. The plugin isn’t integrated with any security plugins. So it won’t automatically block the IP. (That is an interesting idea though.) But you can pull the data from your logs and manually block the IPs if you wish.

The attacker shouldn’t be able to crack your password. But should they get lucky, the dummy account has no power. It can’t do anything.

Known Issues

No known issues.

I’m considering adding a bulk update tool.

Tagged: ,

Josh on Github Josh on LinkedIn Josh on Twitter