This there anyway to secure wp-admin other than the default log-in system. ie. htaccess or renaming the directory.
Any way to secure wp-admin? (8 posts)
-
Elfminster
Posted 7 years ago #
-
PozHonks
Posted 7 years ago #
No, a good password is the best (no word or combination of words found in a dictionnary).
Use different passwords for your FTP, SQL and WordPress account. Avoid to simplify the hacker's work.
wp-admin is really secured. For every action, it checks all the time if you are logged-in. However, an insecured plug-in may create a hole. So, use and activate only very useful and well-known up-to-date plug-ins.
To prevent hackers from finding me, I try to force google, yahoo and other search engine spiders not to index some wordpress files and folders. Type in Google "wp-login.php", and see how many websites are available for login! And hackers will try that list first.
So, to prevent this, create a robots.txt file in the root folder, and put the following:User-agent: * # focusing on all spiders
Disallow: /cgi-bin/
Disallow: /feed/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /wp-admin/
Disallow: /xmlrpc.php
Disallow: /wp-trackback.php
Disallow: /wp-settings.php
Disallow: /wp-rss2.php
Disallow: /wp-rss.php
Disallow: /wp-register.php
Disallow: /wp-rdf.php
Disallow: /wp-mail.php
Disallow: /wp-pass.php
Disallow: /wp-login.php
Disallow: /wp-links-opml.php
Disallow: /wp-feed.php
Disallow: /wp-config.php
Disallow: /wp-commentsrss2.php
Disallow: /wp-comments-post.php
Disallow: /wp-blog-header.php
Disallow: /wp-atom.phpSome may say it is worthless (i don't think so), but it does no harm.
In the .htaccess file, you can also put the following:<Files .htaccess>
order allow,deny
deny from all
</Files>
<Files ~ "^(index|default)\.(htm|html|shtm|shtml|asp|cgi|pl|php3|php4|php5|phtm|phtml|jsp)$">
order allow,deny
deny from all
</Files>
ErrorDocument 403 http: / /www .yourdomain/
ErrorDocument 404 http :/ /www .yourdomain/
DirectoryIndex index.php
Options -Indexes
Options +FollowSymlinksThis is different, it forces the server to avoid displaying any index files but index.php (the good one). If, by any means, a hacker put an "index.htm" file, your web server may serve this file first (without doing any harm to wordpress). It will prevent this behaviour. Tested and approved by myself!
-
Posted 7 years ago #
Thanks, nice info.
I also add this to my .htaccess file..
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule .* - [F] -
Posted 7 years ago #
I forgot also, all files must have permissions set to 644 (not 666) and folders to 755 (not 777). Check this with your FTP software.
To complete your list of bad search engines (from spammers or hackers), you can go to this page (in french), cut and paste the code to a .htaccess file. More than 300 "bad" bots are listed.
http://www.toulouse-renaissance.net/c_outils/c_code_htaccess.htmBut, most ot them pretends to be a normal web browser. The WP plug-in "Bad Behavior" can stop them. http://www.ioerror.us/software/bad-behavior/
-
Elfminster,
Yes, you can use an .htaccess to add extra security to wp-admin .. heres one explaination of how to use it to password protect a directory
http://httpd.apache.org/docs/1.3/mod/mod_auth.html
NEARLY ALL hosts have mod_auth compiled into Apache
You can also do it from within cpanel. Im assuming other backends (like Plesk) have it available as well.
-------
"wp-admin is really secured"
Thats a bit of an over-statement. Its secured by one hashed password. Thats not exactly a 20 foot wall.
-
Posted 7 years ago #
whooami,
I have cPanel so usually I protect my folders that way but the problem is when I do protect the wp-admin directy I get a 404 page not found whenever I go to it after protecting it.
This is what is confusing me.
-
Posted 7 years ago #
PozHonks, thanks for more info on that. I also added the following you might be interested...
<ifModule mod_php4.c>
php_value zlib.output_compression 16386
</ifModule># deny all .htaccess, .DS_Store $hî†é and ._* (resource fork) files
<Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss]|[_])">
Order allow,deny
Deny from all
Satisfy All
</Files># deny access to all .log and .comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
Order allow,deny
Deny from all
Satisfy All
</Files> -
HarisTV
Posted 6 years ago #
Secure-admin plugin:
http://haris.tv/2007/01/11/wordpress-ssl-plugin-secure-admin-patched-and-working
Topic Closed
This topic has been closed to new replies.
