I gave a freelance developer the magento2 backend credential and FTP credential to outsource the development of a custom magento2 module. What are the safety measures that i need to do aside from changing the passwords of magento2 backend and FTP to prevent from being hacked in the future?
Ensure that You are giving an admin panel with new user and password for your freelancer's to work. That you can done from magento2 admin panel itself. If you are not done so, if you were gave admin master user name and password you should need to change the password of your admin by using following query.
UPDATE admin_user SET password = CONCAT(SHA2('xxxxxxxYourNewPassword', 256), ':xxxxxxx:1') WHERE username = 'admin';
For more to know about reset password go to the link
And definitely you have to change the FTP Credential too from your server back end.
The most taking care you can prohibit the admin login with IP address.
Hope these things are helpful to you.
Related
I've set a Joomla site password policy via users > options.
If I add a new user via the backend and try to set an insecure password, the policy seems to work and I get the appropriate error message.
If the user logs in, goes to their profile and changes their password, the password policy is still enforced.
However, if the user goes to the login screen, chooses 'Forgot your password' they are able to choose a new password which doesn't pass the policy.
I'm using the default Joomla login and registration extensions and as far as I can see, there's nothing else that could be causeing a conflict.
Does anyone have some suggestions on where to look?
EDIT
Site is using Joomla! 3.3.6 Stable, which is currently the latest version of Joomla
Thanks a lot!
I'm trying to install BitNami Wordpress on XAMPP for Windows, but I have a slight problem here. There's this Create Admin Account dialog box on my way through installation and it seems to require me to fill the boxes in. It's asking for Login, My real name, Email address, My existing MySQL password for XAMPP, and Application password. I don't know what kind of password I should type in, since I haven't even typed in any password for anything. I've tried to leave it blank and click Next, but it won't allow me.
For a better understanding of my question, you can view it here, No. 3 and No. 4 : http://wiki.bitnami.com/Infrastructure_Stacks/BitNami_for_XAMPP#What_is_the_XAMPP_MySQL_password.3f
for the first password field, you will have to add the password of phpmyadmin (if any).
for the second password and retype password field you will have add the password you want to set for wordpress admin.
It would be a tremendous user experience bless to have a universal login across various apps of my website. For now, I have a storefront of Magento and a community of IPS board. And I'm trying to integrate them into one universal login for my users.
IPS board offers a variety of login methods and one of them is External Database that enables me to integrate it with an external database for user details.
Fantastic! So I can link IPS with Magento's database for unified user credentials.
However, thus far I can only find the email field that is customer_entity.email.
My questions are:
What is the password hash field (table.field) in Magento?
How does Magento generate password hash? MD5? SHA1? What is the salt (I guess it's different by installation but where can I find it)?
As you can see from the attached images, I need the details of where and how Magento stores password to enable IPS to use Magento's database as external database for user login details.
Attached:
Any idea or suggestion on how to get this done would be greatly appreciated!
Customer's password is stored in customer_entity_varchar, it is an eav attribute. You can't use IPB external database functionality. You should use Mage::getModel('customer/customer')->authenticate($logi, $password); to authenticate customers in your code.
You can find the encryption key in /app/etc/local.xml. I haven't looked at the user table but my guess would be the hash field is the encrypted password.
Encryption functionality is in Mage_Core_Model_Encryption so if you can gain access to Magento from your IPS board, you could do something similar to:
$password = 'whatever'; //your logic provides this password
require_once('app/Mage.php'); //path to your Magento app/Mage.php
Mage::app(); //we can now use magento functionality
$decrypted = Mage::getModel('core/encryption')->decrypt($password);
You'll need to work out where best to put this logic in order to integrate it, but it's a start at least.
I have a host and cPanel access but only one main user and password to cPanel.
I want to give someone access to phpMyAdmin but don't want to give that person my main user and password for cPanel.
Is there anyway to give someone access to phpMyAdmin but not cPanel?
The phpMyAdmin which comes with cPanel (in the 3rdparty-directory) is apparently secured with the cpanel-authentication, so the answer is "no".
You could install your own phpMyAdmin (maybe it's even available in the script-center/one-click-installer) and set it up to directly authenticate on the MySQL-server with your custom MySQL-user or just let your user enter his credentials which you have supplied.
As I was looking for an answer to this question, I found the following method that did the job for me:
How to access phpMyAdmin directly from my domain?
This worked well for me, although I'm using a different hosting provider then Siteground.
Steps I followed:
Downloaded the phpmyadmin installation package. I found the appropriate version, as hosted on my server at sourceforge.net/projects/phpmyadmin/files/phpMyAdmin
Extracted the package.
Uploaded the files into a suitable folder. I used: public_html/phpmyadmin/
Now, via the direct URL [http://yourdomain.com/phpmyadmin] I can strictly grant access to a specific database, I have created in cPanel (using the specific user name + password).
Please note this extra security measure:
For additional security we would also recommend you to Password Protect the directory in which the tool is installed.
You cannot give direct access to your phpMyAdmin without providing direct cPanel access as well.
This is a security measure from cPanel as phpMyAdmin is known to be one of the most exploited PHP applications of all time. It is only available after you start your session by logging into cPanel.
A nice work-around this is to do the following:
Create a MySQL User for the other person. Assign that MySQL User to your Database. Both of those are done through:
cPanel -> MySQL Databases
After that you need to allow access for the other person by adding his/hers IP address in your Remote MySQL Connection - this is also a tool in cPanel
After that the other person will be able to connect to your Database without direct access to your cPanel nor phpMyAdmin, it can be done using software like MySQL WorkBench
cPanel user account has a privileges to control all created databases under cPanel account, And because phpMyAdmin in cPanel is using cPanel authentication you are automatically redirected to the phpMyAdmin control page without asking for login info.
Your target could be done with changing cPanel password without changing mysql user password.
You can do the following steps :
1 - Create MySQL user and add this user to database with full privs.
2 - Create new cPanel account Login through new account Change new cpanel
3 - user password through "Change Password" And un-check Allow MySQL
password change.
4 - Click phpMyAdmin from the new cpanel account and you
will be asked for login info
5- Type the login info of the created mysql
user in step1.
You can now login to the required database without old account cPanel info.
There is another soln is to copy /usr/local/cpanel/base/3rdparty/phpMyAdmin to /usr/local/apache/htdocs and login through http://ip/phpMyAdmin
Don't forget to change the auth_type in /usr/local/apache/htdocs/phpMyAdmin/config.inc.php to http or cookie
I'm using Magento ver. 1.4.1.1.
I'm always able to login with the administrative account that was created during the installation.
I created new user and new role.After i assigned new role to new user.Also i made sure new user is active.
Now i try to login with new username and password the systems prompts that is an Invalid Username or Password.
How to solve this issue?
Thanks and regards,
Logan
First of all, try the original administrator role.
If it logs in then there is a problem with the custom role.
The custom role I think in 1.4x requires global search to be checked. Otherwise there maybe a module that doesn't have permissions XML setup correctly in etc/config.xml