Problem after password protecting wp-admin folder

8 replies
Hi Folks,

I'm trying to increase security on a new installation of Wordpress Version 3.2.1 but have run into an issue when password protecting the wp-admin folder.

I've raised the issue on the WP support forum, but the post got burried quickly before any responses. So I'm unlikely to get any help from there now.

After installing Wordpress into the root of the domain (public_html) I password protected the folder wp-admin. Now when browsing to that directory I get a "page not found" result, as you can see here - http://www.seohertfordshire.biz/wp-admin/ So unless I remove the password protection I can't login.

There are currently no plugins activated, and the only change I've made is to set custom permalinks /%category%/%postname%/ and specify "not to be listed by search engines"

From what I've managed to find out, the issue appears to have something to do with the .htaccess file. My attempts to edit the file are so far unsuccessful.

I have created and uploaded three extra files 401.html 403.html and 404.html in the root folder and have edited the .htaccess as follows -

Code:
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName seohertfordshire.biz

# BEGIN WordPress
ErrorDocument 401 /home/seohertf/public_html/401.html
ErrorDocument 403 /home/seohertf/public_html/403.html
ErrorDocument 404 /home/seohertf/public_html/404.html

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
This hasn't solved the problem though, and I'm way out of my depth with .htaccess to know what else to try.

I'm hoping a fellow warrior who may have already solved this issue for themselves can advise. Or an expert with .htaccess can see where I'm going wrong?

Many thanks,

Myles
#folder #password #problem #protecting #wpadmin
  • Profile picture of the author SteveJohnson
    First, ErrorDocument directives must point to a URL or a document relative to the document root. See core - Apache HTTP Server

    Second, your ErrorDocument directives are within the WordPress block. They will be overwritten whenever you update your permalinks.

    Third, you have only part of the necessary directives to enable HTTP Authentication. See this explanation: Apache Week. Using User Authentication

    Fourth, your <Limit statement for GET, PUT allows everyone access. See Apache module mod_access

    Fifth, using HTTP Authentication to deny access to wp-admin is a problem in WordPress installs because all of the AJAX functionality is contained in the wp-admin folder. There is a specific way that you need to accomplish this, involving allowing access to certain files within the folder. Complicated stuff.

    Sixth, it isn't the best practice to be using the permalink structure category/postname. See this article for more info: Category in Permalinks Considered Harmful » Otto on WordPress

    In short - password-protecting wp-admin may sound like a good idea, but in practice it's pretty difficult. You're better off with concentrating on basic security best-practices such as strong usernames/passwords, vetting plugins and themes, etc.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[5107554].message }}
    • Profile picture of the author Myles Sinclair
      Hi Steve,

      Many thanks for your response. You lost me at "ErrorDocument directives" I'm afraid. But I appreciate the links and will try and get a better understanding of this.

      I'm pretty clueless (as I've no doubt demonstated) when it comes to .htaccess, and am pretty much a cut and paste guy in this area.

      Up until now I've been using the /%postname%/ structure for permalinks, but have seen many claims that category/postname is better for Seo? Anyway, I'll take another look at that.

      My general security is pretty good these days. Complex usernames and passwords, complex table prefixes for databases, etc, But it just seemed like a good idea for an extra wall of protection for the login area. I didn't realise it would be such a challenge to accomplish this.

      Many thanks for the advice.

      Best wishes,

      Myles
      {{ DiscussionBoard.errors[5107750].message }}
  • Profile picture of the author kokopelli
    I used to password-protect my wp-admin folder but ran into many issues with comments and plugins - can't remember exactly what now, it was time ago.

    In the end I dropped that, and opted for other types of protection: limit the number of failed login attempts, CAPTCHA, etc.
    Signature
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    {{ DiscussionBoard.errors[5232327].message }}
  • Profile picture of the author Terry Crim
    How are you password protecting the folder?

    I would recommend not using htaccess to do that, only reason because I never got it to work well myself.

    For a total lock down when you are done writing posts or whatever you are doing in the admin area you can change the permissions of the wp-admin folder to not be accessible from the web. Requires either FTP into the site OR using the file manager within cPanel.

    You can add code to the index file within wp-admin that checks your your IP address and redirects if it does not match. Problem with this is that if or when your IP does change OR you try to access from a coffee shop or somewhere you won't be able to get in.

    You can also create a bridge page that includes the core wp-admin page only after a verification from you but this just duplicates the standard WP user login.

    My thoughts on this is to just lock down the wp-admin folder when it is not being used or move it entirely out of the folder structure and then move it back when you want to make another post.
    {{ DiscussionBoard.errors[5232618].message }}
  • Profile picture of the author Myles Sinclair
    Thanks for the suggestions Terry & Kokopelli

    I've managed to get this working with htaccess, but I can see from what you both say that this method can be problematic. I'll probably just go with limiting login attempts and file permissions on the admin directory.
    {{ DiscussionBoard.errors[5233562].message }}
  • Profile picture of the author SteveJohnson
    One of the major problems with moving, renaming, or password-protecting the wp-admin fold is that all of the AJAX goodies for WP reside in that folder. If WP can't find the AJAX routines, front-end AJAX functionality will fail - at least for plugins and themes that do it the right way.

    There is no real need to HTTP Authenticate the wp-admin folder -- practice basic security, i.e. obscure username and a strong 12-character password, and you'll be fine.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[5235419].message }}
  • Profile picture of the author MelodyChristie
    Hi Myles,

    Instead of password protecting the folder, I recommend using a plugin like Login Lockdown - it auto blocks IPs after x number of failed attempts - and of course use it in conjunction with a strong password.
    Signature
    MelodyChristie.com |“Start by doing what's necessary; then do what's possible; and suddenly you are doing the impossible.”
    {{ DiscussionBoard.errors[5240169].message }}
    • Profile picture of the author Myles Sinclair
      Hi Melody,

      Thanks for the suggestion. I'm familiar with Login Lockdown and use it on most of my sites. I thought I'd try something new on my latest site after installing Website Defender. It's one of those situations where it seemed like a good idea at the time!

      Steve mentioned, good password and username security, which I already adhere to, so with that and the login lockdown plugin, I should be O.K.
      {{ DiscussionBoard.errors[5241752].message }}

Trending Topics