Posted 4 years ago #
What kind of hash does WordPress used to for the admin password?
i am just worried because i recently downloaded a mod that password-protected my blog so only me and my friends can see it, however, it seems the mod doesnt hash the password and can be cracked very easily. So I was hoping the wordpress software itself was more secure with the actual admin password.
Posted 4 years ago #
I don't know the details, but the admin page does not seem very secure indeed. The password is scrambled (I believe with MD5) and stored in a file in the wp-config folder. Some sites have been hacked because Google indexed their login page including password. I don't know how much changed since the 2.2 and up series, but you can so a few things to improve security.
First, change the "admin" user, either in your control panel (for instruction search forum), or make a new user in your dashboard, promote him to admin and delete admin.
For the rest, I use the Ask Apache plugin, which is a nice feature. For serious scrambling you can also your the Admin SSL plugin, but this requires a certificate.
Gangleri - WordPress does not store the admin password in wp-config.php. It is the database username and password that is being stored there. 99% chance is that your MySQL server would not allow connections from foreign hosts, thus, the person getting the password with Google Code can no nothing with it.
eb001, the password security in WordPress is pretty secure and similar to all the popular applications on the Internet right now, i.e (vBulletin, Joomla).
You can increase security by Admin SSL, as Gangleri suggested. You might also enable .htaccess protection for your wp-admin folder, that way, you have 2 layers of security before anyone can touch your admin panel :)
Good luck.
added: WordPress uses MD5 hash, as does most of the Web Apps out there right now
Posted 4 years ago #
@Gangleri:
Some sites have been hacked because Google indexed their login page including password.
Umm. No. That's completely false. Read the thread you linked to. Google didn't index the password; it just indexed the login page, and when the site's owner viewed it in google's cache, the site owner's browser browser filled in the password for him. If he had viewed it in another browser, the password wouldn't have been there.
Posted 4 years ago #
Hi, thanks for all your suggestions, I was hoping that you might be able to go a little furthur and explain these things as I am confused.
Gangleri: the admin panel does not allow me to rename my admin login or to make a new admin, only to change my password. I am using 2.3.1, will upgrade to 2.3.2 as soon as I figure out how and get the time.
Also, how does Ask Apache help make the site more secure? The description says it only tells what kind of page you are on.
Ehab:How do you enable .htaccess for your wp-admin folder and what does that do exactly? Also, how do you take a site that is using http and make it https in order to use the Admin SSL mod? I have no idea how to do this.
Thank you for your help.
Posted 4 years ago #
One more thing:
I would like to make acces to reading the blog just as secure and difficult as access to the admin panel, is it possible? How can I do this?
Posted 4 years ago #
Nevermind, I found tutorials for using .htaccess and for setting up SSL.
Thanks for your help.
Posted 4 years ago #
Eb, you can't change "admin", but you CAN make a new user, set its role to "admin" and delete the "admin" account.
Ask Apache makes the htaccess for you, so it's an easy tool. Everything in the /wp-admin folder is protected with a password, so also the /wp-admin/install.php which is (strange enough) accessible for anyone. Indeed, you will get yet another password, but I prefer it that way. By the way, it took a while before my WP accepted the plugin generated htaccess file, just so you know.
@Ehab and Adam, you are right that I typed the text a bit too fast. There are some discussions about where WP saves the password and if this file is reachable by hackers. If it is anywhere in the /wp-admin folder, they'll at least have to crack another password too with my use Ask Apache. I hadn't heard the explanation about Google and the own computer filling in the password (which would be a strange thing), but the MD5 hash with the fact that there are several pages to code them back, at least suggests that people (think they) are able to retrieve the hashed password of (WP) users. Lots of discussions about that on the internet, so I have taken my precautions.
This topic has been closed to new replies.
