27
I have to agree with Herko that any password protected site will be the subject of brute force attacks, and that is not unique to XOOPS by a long way.
There are a number of things the individual site admin can do to ensure increased security:
1) Change your password on a regular basis.
2) Use passwords which are harder to crack. By this I mean ideally over 12 characters, with a combination of letters in different cases and numbers. Definately avoid names, dates and dictionary words in any language.
3) Keep the number of users with admin priviledges as low as practically possible.
On that note however, there are some things IMHO that may be possible to incorprate into the XOOPS system:
1) After say, 3 concurrent failed login attempts, the admin account is suspended, the password reset and a new password automatically generated and sent to the admin by email.
2) Incorporate the option of site admins having two identities. One is the public username, or pseudonym, that is displayed when the admin is online or makes posts etc. The other is the admin login name that is NEVER displayed on public areas of the site. This way, brute force attacks would have to match a username and password, neither of which they know. With the current system, everyone knows the login of the site admin, so it's only the password that has to be cracked.
Again, just an opinion or two...
Regards,
Gareth