Annandale Apps

OK. I found out in the end.

Authors can upload files into the media library, and that’s where the weakness was. He uploaded a particular file that roots around the website and find weak points and essentially hacks it. From this, he could basically set up the website as if it were being installed for the first time, and create an admin account as the creator of the website.

He’s a little cheeky monkey, but I did get to the source of the issue. Basically, he was only able to do this because he already had Author access to the site. He couldn’t have uploaded a file to the media library if he had just been a subscriber.

Since then though, I’ve installed a raft of security plugins, only let .png and .jpg to be uploaded, and as a rather cool Dual-Authentication SMS code generator, which basically texts me a code every time an admin tries to log in (very cool).

All of which means that he won’t be able to sneak in again.

I certainly didn’t read it as rude, so no worries there.

I agree that he’s the only one who knows the exact answer, so I’ll just have to (as you say) feed his ego.

I’ll meet him tomorrow, but in the meantime I’ve installed about a dozen security plugins, Admin SMS dual-authentication and so-on.

If there is a security flaw in my website, I’d rather find out from a student/colleague with an ego, than a real hacker trying to steal my website.

I don’t want him to be deleted, but rather I don’t want him to become admin again.