Given that if you put it on the net you are looking for visitors, and if you put it there you should expect visitors, this sort of this would not go into the core.
You have pw protected posts.
You can use .htaccess
In most instances that is the case: you should expect visitors and make access to content as easy as possible. But, this doesn’t really apply if you want an online private blog/journal. I really love WP and so would like to use it to document a project that I don’t wish to be public. I’ve looked at other programs and WP is really the best for what I want.
But, as you mentioned, you can password protect the directory using .htaccess — that’s what I do for now.
Aw come on, don’t suggest htaccess as a solution! Fine, if your content is harmless and it’s not a big deal if someone sees it, but seriously – you sniff out a htaccess login easily.
No, go for some real protection. I wouldn’t mind being able to set the whole WordPress blog as private and require login. That would be a great feature.
tdh – I’m curious.
If .htaccess offers no security, yet WP does yet both rely on passwords – and the people knowing them not to write them down / tell others – then why is one so much better than the other ?
(Honest question – I like .htaccess so long as strong pw’s are used)
Yout host should allow you to password protect a dir on the server. Try that option?
Thanks for the link, I also found this thread: http://wordpress.org/support/topic/35483
I’d also like to know what’s so insecure about .htaccess, and what you’d suggest as ‘real protection’ for those of us who are currently using it.
Sorry for the late reply, vacation ‘n stuff. 🙂
htaccess is insecure since you can sniff it from ports, it’s in plain text.
Unless you use HTTPS for all your blog traffic, all logins can be sniffed — .htaccess or otherwise. There are all manner of attacks people can leverage, if they have access to your traffic: password sniffing, cookie stealing, man-in-the-middle content modification, etc etc.
You cannot say that .htaccess is insecure while simultaneously claiming that a web-based form is secure. If you’re using plain ol’ HTTP, they’re equally (in)secure.
You should absolutely have https on your login if the site is important for you.
If you’re using HTTPS, the .htaccess password transmission is wrapped in the SSL encryption, along with everything else. So .htaccess is a viable option if you’re using HTTPS.
It would have been helpful for many of the readers here if you had made it clear that you were actually warning against plain http traffic, and encouraging https traffic. The .htaccess comments were a complete non-sequitor in this context.
Unfortunately, not everyone has https available to them (or are unwilling to pay the arbitrary premiums for the option). There are still lots of ways you can protect your blog. You can use .htaccess to restrict all access by IP address. You can take care never to log into your blog from a computer not under your physical control (ie: a public terminal in a lab). You can take care never to log into your blog over an unsecured wireless network (ie: a coffee shop). Use strong, randomly generated passwords.
Most security experts will agree: the goal is “defense in depth”. Do not rely on a single password, or a single defense mechanism. Use multiple defense strategies at different layers to keep your data safe.
Yes, the best way to protect yourself is to avoid plain http traffic.
However, I’d say that htaccess is more vulnarable than for instance login forms on a web page. This is because a lot of sniffers are targeting htaccess in general, and because groups of people tend to use the same htaccess login for several users. Tecnically, htaccess is as (in)secure as login forms on web pages, but as it is such an easy way to protect directories and files, sniffers are looking for it.
Good advice above regarding public computers by the way. People should read it.
Hi phpcoder, I am trying to use your code in a website. I am not a coder so I would really appreciate if you could tell me what am I doing wrong.
When I load the site, a popup window asks me for a username and password. I know the password because I´ve changed it in your code but what´s the username?
Sorry if my post is not 100% about wordpress but wordpress does not provide a way of password protecting personal blogs. I want to put family pictures and have only one password to give to family and friends.
I tried .htaccess but it asks twice for the password…
Thanks!
apache can set restrictions on who can get to htaccess, there are ways to snuff out the sniffer, it’s really not so complicated, WP already has an authenticator plugin that makes you login in order to access the blog
