Security feature requests

#1

I have Some Suggestions

1. Ability to edit pages full source code in the site-cake editor.

Reason:
For example lets say you have a website built for someone and they want to change something in the
This would save me a headache once in a while. Also See Suggestion 3 For more info.

**

( I know i have suggested this one before)

2.Changing the Login System to include a Password and a username, (This Should Actually Be Essential)

and also Forcing the user to change the default password on first login,the ability to include a captcha on the login and a configurable timer that will lock someone out for x amount of minutes after x amount of failed login attempts. as well as a log file that support logging addressees for failed logins using the WEBRTC protocol and Also adding the Ability to add extra editors (users) to the editor,or even a notifcation system that alerts the user to failed login attempts inside of sitecake or by using smtp (that would be nice)

(personally I use cloudflare with all of my sitecake websites and actually use a page rule to always challenge a user that is not whitelisted to have to use the cloudflares captcha to even browse it on most “production” installations but not everyone can use cloudflare or some people dont know how to)

Reason:

  1. This Would Make Automated attacks Such as Brute force harder to do, This would also Protect against Defacement on websites that have a “default” installation as it would force the change of the password on the first login. The Captcha and Timer Option would also Help against people/bots that are Trying to “Crack the password” ( I actually have an example that i have sent off to predragleka that kind of applies here)

  2. The logging of addresses on failed logins or even all logins would also be useful, For Example if you have 2 log files. one that tracks successful logins and one that tracks failed a skilled administrator could write scripts to monitor the failed login attempts log and have it automatically blacklist Malicious addresses in the firewall (For example someone could plug it into fail2ban) using WEBRTC to log ip addresses can also be useful if and attacker has not disabled it or if they are using a VPN and the VPN is not protecting against it (or if lets say there are multiple users of a sitecake editor and one guy gets pissed off and defaces the website and then claims it wasn’t him WEBRTC might just say otherwise.) . (this isnt fool proof either because my VPN definitley Protects against WEBRTC leaks when im using it)

  3. Or that Same administrator can write a script to monitor the Successful logins and say use a Dashboard to Visualize statistics

Currently at this Time There are no known Probes for the sitecake editor . But in the Future Someone Skilled may possibly Craft one in the future so Implementing this at an early stage may be helpful in the Future. @Nik I have Sent you a Message regarding this and you should Read it as soon as possible.

I Really Think that The implantation of some of this Should be Done in the Next Release.

3.An Option That can set the sitecake website and its file permissions to 777 when you want to update the html files via ftp and also an option to "Put the permission back to where they were before the edits"

Reason:
Sometimes When I use Ftp to Change the Html files on a sitecake website i will get permission denied when i try to change them and chmod from the ftp will not change the permissions in some cases and i have to use my Servers “control panel” or SSH terminal to fix the permissions. This can be Frustrating Sometimes.

About the feature request category
#2

+1 for multiple password support.

With existing format, at least allow two logins so the Admin can be changed and reserved for the Developer who can give the other to the client or site owner.

Seems easy to allow SiteCake to authenticate any key in the list, each on a separate line or use a delimiter. Currently allows only one password/key.

User management may not be in scope for this tool so it may be more practical to give Devs a good way to disable/replace the default Sitecake login so that a more robust User Management platform could be enabled for loading admin.php page.