New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
noindex, no follow, no archive also for login page #9121
Comments
👍 One could still crawl for Piwik installations though, at least in most cases when one uses JS tracking. Eg one can search for standard Piwik snippet in website and get the URL to the Piwik instance. This can be done automated too, it is harder this way though as one has to actually crawl websites. There are also some services I think that show which websites use Google Analytics, Piwik, ... A very important thing would be to actually prevent brute forces eg via #2888 or by making authentication each time a few seconds slower when login fails etc |
of course this is only one step and there are more to do! hmm can one really find piwik by searching for a part of an embedded code snippet? Doing a site specific search on our domain (site:www. ... ) which is using piwik |
You could crawl the internet yourself, eg with something like http://nutch.apache.org/ or any other web crawler. There might be even search engines already that let you search for certain snippets in a website. Just saying with enough effort your Piwik can be still found usually (unless you are using maybe LogImporter and do not track client side). Therefore it is also important to work on the brute force attack issue. |
Thanks for suggestion! but because it does not help security, I don't want to do it. One is welcome to write a plugin to do it, but honestly there is no value in terms of security. |
follow up to #6552
and as proposed in
#8058 (comment)
=> a new ticket for better security of login page:
From security point of view an easy to find login page is not that great.
One could e.g. easily do the following thing - FULLY AUTOMATED:
on other systems their is a great effort to hide login page with the following:
so I would strongly vote for noindex, no follow, no archive also for login page
another idea what could happen also on non ecommerce sites is written here: #8058 (comment)
The text was updated successfully, but these errors were encountered: