I reached out to support for two pieces of information.
For number 1, they told me there's some magic sauce. I can change my password and the WP Admin button still gets me in. Great, but also bad. Bad because there's some backdoor going on here.
For number 2, I noticed that the WP Admin button wasn't logging me into the original admin account, but an account I just created a couple of weeks ago and just this week upgraded to admin level. Support said that button logs me into the originally created account. Obviously not. I don't want to login as "Amanda" when I click that button, but the original admin account. Support couldn't help. They said that's all stuff in my WordPress install and they can't do anything about it. Horse hockey. I have WordPress hosted on my own physical servers elsewhere and I don't have a magic "WP Admin" button in some third-party platform. That's a GoDaddy-specific feature. The support agent said there was no escalation path to someone else that could tell me what was going on and how to get GoDaddy's button to work as intended. Can anyone lend a hand or am I best to move my web site somewhere else where people can explain broken functionality\security risks?
FWIW: This is a client's setup and not mine specifically. I have more important things to do than worry about what web host has the web site, but not if security and support are going to be issues.
Solved! Go to Solution.
One would need to be logged into your GoDaddy account in order to access this "back-door". It is a custom WordPress install running on GoDaddy servers. Someone with access to your GoDaddy account would also be able to gain access to the files on the server, and potentially the WordPress admin as well. With any provider an account can only be as secure as the password, but you can also add 2-Factor authentication if you want to add an additional layer of protection.
Maybe, maybe not, but my point isn't to belabor that part.
Why can't GoDaddy Support know what they're talking about and how do I change the things that need changed?
1) The WP Admin button doesn't use a password but rather a key between the GoDaddy Portal and WordPress - This is much the same as how ManagedWP / ProSites and other Management sites work - It's key access so the password doesn't mater
2) It will use whatever the first alphabetical admin user is - there is no way to get around this
I would disagree with you that this is a security risk as it is very similar to how other managed WordPress solutions are setup - additionally, you would first have to get access to your GoDaddy account - and you can enable 2 factor authentication on GoDaddy
Additionally this is no different that how you are able to access cPanel / servers within the GoDaddy system - From their "Dashboard" where you have access to the servers in your account, you click login / manage and you are into the individual server / account.
Also from the hosting panel you are referring to you have access to the database so you could always just manually create additional users
In many respects this is no different than an SSH key between your machine and a server - even if you change the password on the server - as long as you can authenticate on your local computer then you are able to log in.
Hope this helps to answer your questions and remove any concerns
I've never tried to use a number in a wordpress user - I would think they are before and I would guess not case sensitive -
I'm not 100% sure on this as I've never gone through the process to test it
@DNAComThat's a good question I do not have the answer for off the top of my head. If you do give it a try let us know what you find out.
Numbers are before letters. I created an admin account called 1 and it's now the one automatically used when logging in through the GoDaddy portal.