WordPress.org

Ready to get started?Download WordPress

Forums

Any way to secure wp-admin? (8 posts)

  1. Elfminster
    Member
    Posted 7 years ago #

    This there anyway to secure wp-admin other than the default log-in system. ie. htaccess or renaming the directory.

  2. PozHonks
    Member
    Posted 7 years ago #

    No, a good password is the best (no word or combination of words found in a dictionnary).
    Use different passwords for your FTP, SQL and WordPress account. Avoid to simplify the hacker's work.
    wp-admin is really secured. For every action, it checks all the time if you are logged-in. However, an insecured plug-in may create a hole. So, use and activate only very useful and well-known up-to-date plug-ins.
    To prevent hackers from finding me, I try to force google, yahoo and other search engine spiders not to index some wordpress files and folders. Type in Google "wp-login.php", and see how many websites are available for login! And hackers will try that list first.
    So, to prevent this, create a robots.txt file in the root folder, and put the following:

    User-agent: * # focusing on all spiders
    Disallow: /cgi-bin/
    Disallow: /feed/
    Disallow: /wp-content/
    Disallow: /wp-includes/
    Disallow: /wp-admin/
    Disallow: /xmlrpc.php
    Disallow: /wp-trackback.php
    Disallow: /wp-settings.php
    Disallow: /wp-rss2.php
    Disallow: /wp-rss.php
    Disallow: /wp-register.php
    Disallow: /wp-rdf.php
    Disallow: /wp-mail.php
    Disallow: /wp-pass.php
    Disallow: /wp-login.php
    Disallow: /wp-links-opml.php
    Disallow: /wp-feed.php
    Disallow: /wp-config.php
    Disallow: /wp-commentsrss2.php
    Disallow: /wp-comments-post.php
    Disallow: /wp-blog-header.php
    Disallow: /wp-atom.php

    Some may say it is worthless (i don't think so), but it does no harm.
    In the .htaccess file, you can also put the following:

    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>
    <Files ~ "^(index|default)\.(htm|html|shtm|shtml|asp|cgi|pl|php3|php4|php5|phtm|phtml|jsp)$">
    order allow,deny
    deny from all
    </Files>
    ErrorDocument 403 http: / /www .yourdomain/
    ErrorDocument 404 http :/ /www .yourdomain/
    DirectoryIndex index.php
    Options -Indexes
    Options +FollowSymlinks

    This is different, it forces the server to avoid displaying any index files but index.php (the good one). If, by any means, a hacker put an "index.htm" file, your web server may serve this file first (without doing any harm to wordpress). It will prevent this behaviour. Tested and approved by myself!

  3. Elfminster
    Member
    Posted 7 years ago #

    Thanks, nice info.

    I also add this to my .htaccess file..

    RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
    RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
    RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
    RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
    RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
    RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
    RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
    RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
    RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
    RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
    RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
    RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
    RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
    RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
    RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
    RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
    RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
    RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
    RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
    RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
    RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
    RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
    RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
    RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
    RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
    RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
    RewriteCond %{HTTP_USER_AGENT} ^Zeus
    RewriteRule .* - [F]

  4. PozHonks
    Member
    Posted 7 years ago #

    I forgot also, all files must have permissions set to 644 (not 666) and folders to 755 (not 777). Check this with your FTP software.

    To complete your list of bad search engines (from spammers or hackers), you can go to this page (in french), cut and paste the code to a .htaccess file. More than 300 "bad" bots are listed.
    http://www.toulouse-renaissance.net/c_outils/c_code_htaccess.htm

    But, most ot them pretends to be a normal web browser. The WP plug-in "Bad Behavior" can stop them. http://www.ioerror.us/software/bad-behavior/

  5. whooami
    Member
    Posted 7 years ago #

    Elfminster,

    Yes, you can use an .htaccess to add extra security to wp-admin .. heres one explaination of how to use it to password protect a directory

    http://httpd.apache.org/docs/1.3/mod/mod_auth.html

    NEARLY ALL hosts have mod_auth compiled into Apache

    You can also do it from within cpanel. Im assuming other backends (like Plesk) have it available as well.

    -------

    "wp-admin is really secured"

    Thats a bit of an over-statement. Its secured by one hashed password. Thats not exactly a 20 foot wall.

  6. Elfminster
    Member
    Posted 7 years ago #

    whooami,

    I have cPanel so usually I protect my folders that way but the problem is when I do protect the wp-admin directy I get a 404 page not found whenever I go to it after protecting it.

    This is what is confusing me.

  7. Elfminster
    Member
    Posted 7 years ago #

    PozHonks, thanks for more info on that. I also added the following you might be interested...

    <ifModule mod_php4.c>
    php_value zlib.output_compression 16386
    </ifModule>

    # deny all .htaccess, .DS_Store $hî†é and ._* (resource fork) files
    <Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss]|[_])">
    Order allow,deny
    Deny from all
    Satisfy All
    </Files>

    # deny access to all .log and .comment files
    <Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
    Order allow,deny
    Deny from all
    Satisfy All
    </Files>

  8. HarisTV
    Member
    Posted 7 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic