Admin Account Security Best Practices?

Hello,

I have searched for something like this but have not been able to find exactly what I am looking for.

I am trying to protect my admin account. My concern, which is most likely an edge case but possible nevertheless, is that someone could keep trying my admin account username (visible because I use it to post user guides etc.) and lock me out by simply trying it several times. I know this won’t lock me out permanently, but I would like to avoid this altogether.

Will enabling 2FA prevent this?

Also, as a best practice, should I have both a moderator account for myself to moderate the forum, and an admin account to do everything admin related?

I think my confusion stems from the fact that when I first set up the forum, ‘system’ was the account that did everything and when I would post messages it would come from system.

Thank you.

If someone is trying to brute force into your account, it will most probably ban their IP address and not really your account IIRC.

Using 2FA will surely help a lot as it deters the malicious actors a lot.

if You’re using a static IP on your home network you may be able to whitelist your own IP address so you don’t get locked out.

Using a very long password is also fairly good measure at deterring the brute force.

If anyone was going to try to log in as you, they would have to know the email address you used when you set up your account. IF you forgot your password, they would also have to have access to your email account to receive a password reset… if the reset is even possible.

Do you log out as administrator? If not, every time you go to your forum, your IP address and cookie are recognized and you are logged in automatically. If you do log out, that’s when you have have to log back in using your email address (used at creating your forum) and password.

From your description, you are concerned of a potential situation happening and not something that has actually happened?

Regarding having a seperate moderator and an Admin account: Unless you also make the mod account an Admin, as a moderator you will not be able to access the Admin functions. I am an Admin but don’t have a separate Mod account. I do have one Mod whom I trust that I also made an Admin… but she doesn’t mess with any Admin duties (afraid to mess up the forum? ). But should something happen to me - although I plan on living to 102 so I have 35 years to go - this Mod can take over. My other Mod is “just a Mod”.

The ‘system’ is the forum software. When you set up your forum you did set up an account for yourself, didn’t you? It seems that would be a requirement. When you post something, it should show it as being posted by you and not by the system. It seems strange that you posts would be shown as “system” and not from your username.

That’s not correct, you can log in by username.

2FA will stop anyone that steals your password from reuse but DIDN’T get malware into your computer.

Even in the worst case, you still have SSH access to the server and can restore your access from there.

I stand corrected. I did forget about the SSH access route.

Thanks to you all for taking the time as these are helpful responses.

So, it looks like 2FA is always a good idea, and if all goes south at least I have SSH access. Makes sense.

Also,

You are absolutely correct. I did set up an Admin and I was posting from that, not from system. My mistake.

Does anyone know if you can change a setting to NOT allow username logins (ie. and require email)?

Thanks again.

Correct. And this applies everywhere, not just Discourse. If a site you use supports 2FA, you absolutely should configure it.