Lets say that someone is trying to guess your DotNetNuke password or the password of any user on your website right now. You had better go check your site to see what's going on. But wait a minute, how can you tell if someone is trying to hack your site or not? Does DNN even have anyway to tell you this is going on so that you can try to stop it?
We can look at DNN's event log, and filter the error list by the "Login Failure" event type. This will quickly show you if there has been a large number of failed logins for the same user - a key indicator that something bad is going on.
But there is a problem with doing it this way. You actually have to manually go to the event log page and check for yourself. How often should you check? Every day? every hour? You'll get tired of checking pretty quickly.
It would be much better if DNN could tell you when you logged on as host if everything was ok or not. A simple little status indicator would be a good way to do it. Here is a mock-up that I made of what it could look like:
Normal status - no login attacks detected
Alert status - login attack has been detected
You can see just how much better a system like this is - whenever you login, you can see immediately if someone is attempting to hack into your site. DNN needs to show you this information, you shouldn't have to go looking for it.
I think that there are some things that the DNN core should be telling site admins, and this is one of them. DNN shouldn't make the site admin go looking for this information, it really needs to be shown without asking.
I've got more to say on these hidden flaws in DotNetNuke coming up soon, so keep an eye open. If you've got concerns about security in DotNetNuke, send me an email or even a tweet to @bestwebsitesnz. I'd love to hear from you.