Protecting WordPress ADMIN & LOGIN URL

Sam Rodrigo · 06-29-2009, 10:02 AM

HI All...

Just a week or two ago I read a thread advising anyone running Wordpress to just change the folder /wp-admin/ 's name to protect an installation from unauthorized access.

I thought the idea was very poor and rather cumbersome to implement. There had to be much better solutions. There are many. Below I'll outline just a few of them.

First, to protect your login:

1. The obvious. A great password. I don't mean something 6 or 8 characters long, but try using 14 or 16 characters that included letters, CAPS and numbers and could only be any meaning to you. Then "remember" the access info using a tool such as ROBOFORM (RoboForm: Password Manager, Form Filler, Password Management), which I will say is my #1 time saver.

2. Then you can install a plugin called LOGIN LOCKDOWN (Bad Neighborhood - Login LockDown WordPress Security Plugin) which I just started using and it works elegantly to protect the WORDPRESS LOGIN page. There are a few variables to set in ADMIN once installed just like a typical plugin, but that will take a min. You'll be able to restrict access to a range of IP addresses or just your static IP. Your setup will allow "X" failed attempts before locking out another user. Just be careful that you do remember the user info!!!

3. Lastly, IF you want to do even more to protect your /wp-admin/ folder, there are options that use .htaccess files to restrict access, again by IP address(es). You can checkout a plugin such as ASKAPACHE PASSWORD PROTECT (Password Protect your Blog with Apache .htaccess and .htpasswd). This is a very serious piece of software and as it says, puts a very thick brick wall between your work and malicious attacks. But, it does take some know-how and a bit of time to implement. However, when your site pays the mortgage, it's worth it.

4. Just a TIP: Now it's easier than ever to back up a database. The back-end OS (like Parellals -former PLESK, and cPANEL) easily allow an Admin to setup a back up routine to run a DAILY or WEEKLY or even a MONTHLY BACK UP. Setup and leave the server to do the work. You can even specify a back up server/account or even a local pc to back up the db via FTP. This will then be your last line of defense. No matter what happens you can restrict the data loss to just a few days and setup again after a server crash (or a fire as I had once!

) and get back on your feet.

FEAR NOT: I am sure a few of you will fear installing a plugin like this and getting locked out of your own admin. Fear not... If for some buzzar reason you do get locked out, just use your FTP access to go to the plugin directory and just delete the offending security plugin. Then it will "deactivate" automatically, and you're back in business. So, don't fear.

Sucess,
Sam

CDarklock · 06-29-2009, 10:24 AM

Quote:

Originally Posted by Sam Rodrigo

Just a week or two ago I read a thread advising anyone running Wordpress to just change the folder /wp-admin/ 's name to protect an installation from unauthorized access.

You don't seem to understand the issue.

An automatic bot is running on a Ukrainian server. It looks for web servers running specific Linux and Apache versions. When it finds one, it runs a known exploit that gives it access to a shell on your server.

Now it looks for the wp-admin folder. If there is one, it knows you have a WordPress blog, and proceeds to run its "hack a WordPress blog" code.

None of your suggestions do anything about this. Renaming the wp-admin folder, however, does.

Sam Rodrigo · 06-29-2009, 10:32 AM

Quote:

Originally Posted by CDarklock

None of your suggestions do anything about this. Renaming the wp-admin folder, however, does.

HI,
I presented my solutions based on escalating degrees of threats and realistic solutions. There are Warriors with dozens to hundreds of Wordpress installations, and changing the name of the admin folder is *very* unrealistic.

Please note that HTpassword protect will resolve the issue.

Sam

CDarklock · 06-29-2009, 11:08 AM

Quote:

Originally Posted by Sam Rodrigo

Please note that HTpassword protect will resolve the issue.

No, it won't, and I can't be arsed to explain why the Apache configuration files don't affect someone running a remote shell. Computer security is NOT a field for amateurs.

06-29-2009, 11:21 AM

Quote:

Originally Posted by CDarklock

You don't seem to understand the issue.

An automatic bot is running on a Ukrainian server. It looks for web servers running specific Linux and Apache versions. When it finds one, it runs a known exploit that gives it access to a shell on your server.

Now it looks for the wp-admin folder. If there is one, it knows you have a WordPress blog, and proceeds to run its "hack a WordPress blog" code.

None of your suggestions do anything about this. Renaming the wp-admin folder, however, does.

Exactly ... Lockdown a wp-admin folder means nothing because it is still named wp-admin, hackers do not need access to your admin to hack your site. Hackers have full access to the open source code and aslong as you run a wordpress with the same names as the original is released in you will always be "more" probe to hackers...

James

06-29-2009, 11:23 AM

Quote:

Originally Posted by Sam Rodrigo

HI,
I presented my solutions based on escalating degrees of threats and realistic solutions. There are Warriors with dozens to hundreds of Wordpress installations, and changing the name of the admin folder is *very* unrealistic.

Please note that HTpassword protect will resolve the issue.

Sam

I have over 500 customers that would disagree with your statement. Its not unrealistic, it's called being smart... There is a great deal more to security than just renaming the admin folder though.

James

Sam Rodrigo · 06-29-2009, 11:56 AM

As usual, there is no silver bullet solution. Even IF an admin folder name is changed, someone targeting an individual site can *still* attack any code vulnerabilities.

I presented multiple solutions, including persistent backups to resolve the issue. It's better than doing nothing and certainly smarter than waiting for it to happen.

Sam

06-29-2009, 12:02 PM

Quote:

Originally Posted by Sam Rodrigo

As usual, there is no silver bullet solution. Even IF an admin folder name is changed, someone targeting an individual site can *still* attack any code vulnerabilities.

I presented multiple solutions, including persistent backups to resolve the issue. It's better than doing nothing and certainly smarter than waiting for it to happen.

Sam

That is why I created a "real" solution ...

James

06-29-2009, 10:02 AM	#1
Sam Rodrigo Senior Warrior Member War Room Member Join Date: Feb 2007 Location: Universe, OH & NL Posts: 3,865 Blog Entries: 4 Thanks: 23 Thanked 22 Times in 21 Posts Social Networking Contact Info	Protecting WordPress ADMIN & LOGIN URL HI All... Just a week or two ago I read a thread advising anyone running Wordpress to just change the folder /wp-admin/ 's name to protect an installation from unauthorized access. I thought the idea was very poor and rather cumbersome to implement. There had to be much better solutions. There are many. Below I'll outline just a few of them. First, to protect your login: 1. The obvious. A great password. I don't mean something 6 or 8 characters long, but try using 14 or 16 characters that included letters, CAPS and numbers and could only be any meaning to you. Then "remember" the access info using a tool such as ROBOFORM (RoboForm: Password Manager, Form Filler, Password Management), which I will say is my #1 time saver. 2. Then you can install a plugin called LOGIN LOCKDOWN (Bad Neighborhood - Login LockDown WordPress Security Plugin) which I just started using and it works elegantly to protect the WORDPRESS LOGIN page. There are a few variables to set in ADMIN once installed just like a typical plugin, but that will take a min. You'll be able to restrict access to a range of IP addresses or just your static IP. Your setup will allow "X" failed attempts before locking out another user. Just be careful that you do remember the user info!!! 3. Lastly, IF you want to do even more to protect your /wp-admin/ folder, there are options that use .htaccess files to restrict access, again by IP address(es). You can checkout a plugin such as ASKAPACHE PASSWORD PROTECT (Password Protect your Blog with Apache .htaccess and .htpasswd). This is a very serious piece of software and as it says, puts a very thick brick wall between your work and malicious attacks. But, it does take some know-how and a bit of time to implement. However, when your site pays the mortgage, it's worth it. 4. Just a TIP: Now it's easier than ever to back up a database. The back-end OS (like Parellals -former PLESK, and cPANEL) easily allow an Admin to setup a back up routine to run a DAILY or WEEKLY or even a MONTHLY BACK UP. Setup and leave the server to do the work. You can even specify a back up server/account or even a local pc to back up the db via FTP. This will then be your last line of defense. No matter what happens you can restrict the data loss to just a few days and setup again after a server crash (or a fire as I had once! ) and get back on your feet. FEAR NOT: I am sure a few of you will fear installing a plugin like this and getting locked out of your own admin. Fear not... If for some buzzar reason you do get locked out, just use your FTP access to go to the plugin directory and just delete the offending security plugin. Then it will "deactivate" automatically, and you're back in business. So, don't fear. Sucess, Sam
	RICH SAGE BLOG LOCAL AFFILIATE GOLD MINE: >> CLICK: BiiG NETWORK LAUNCH WSO << SIGN UP FREE. LIMITED NICHES/LOCATIONS!

06-29-2009, 11:56 AM	#7
Sam Rodrigo Senior Warrior Member War Room Member Join Date: Feb 2007 Location: Universe, OH & NL Posts: 3,865 Blog Entries: 4 Thanks: 23 Thanked 22 Times in 21 Posts Social Networking Contact Info	Re: Protecting WordPress ADMIN & LOGIN URL As usual, there is no silver bullet solution. Even IF an admin folder name is changed, someone targeting an individual site can still attack any code vulnerabilities. I presented multiple solutions, including persistent backups to resolve the issue. It's better than doing nothing and certainly smarter than waiting for it to happen. Sam
	RICH SAGE BLOG LOCAL AFFILIATE GOLD MINE: >> CLICK: BiiG NETWORK LAUNCH WSO << SIGN UP FREE. LIMITED NICHES/LOCATIONS!