WordPress.org

Ready to get started?Download WordPress

Forums

WordPress: Total garbage CMS (7 posts)

  1. mikules
    Member
    Posted 2 years ago #

    I just don't get this CMS tool. It's unreal. The more you try to secure your site, the more the CMS stops allowing it to work correctly.

    I am trying to secure my wp-admin, yet EVERY resource on google is from over a year ago (starting to see why now--people are leaving WordPress). Most everyone tells you to use .htaccess to lock down the folder, but when you do you render it useless.

    So ok, you get it to work by other means: BAM! You're unable to upload images if you're not using crap IE.

    Is wordpress this stupid? How can this tool say it's secure when simple things in the installation don't even pop up and tell you "Hey, tell us what you would like you name your admin login URL - and don't use something people can guess".

    Such simple things are not even a PART of WordPress. So here it is, closer to releasing my heavily modded design using WordPress, and I have GREAT concerns of its security, but I have this POS folder sitting there "WP-ADMIN" that says "I USE WORDPRESS, PLEASE HACK ME!" Are you serious WordPress? No options to safely rename this DURING installation? Or even AFTER?

    NO method works in trying to hide this folder or setting up cookies, password protecting the folder...NOTHING --- without breaking the image upload thanks to their POOR choice to use FLASH UPLOADER.

    All day I have been fighting with this garbage, and this is ridiculous at this point. I'm going to punch my friend for recommending this horrible, horrible CMS tool. It's nothing but a huge invite to hackers.

  2. ClaytonJames
    Member
    Posted 2 years ago #

    You really, really, have no clue what you're jabbering on about. It sounds like your grasp of server and site security may be more the issue than your exceptionally limited experience with WordPress.

    Did you get a chance to take a look at any of these? There might be something there that conforms to the ideas you have about site security - http://wordpress.org/extend/plugins/search.php?q=secure+wp-admin&sort=

    How about this for some ideas - Hardening WordPress

    Or this - Securing wp-admin

    About the flash uploader...

    Did you notice this message every time you upload something?

    "You are using the Flash uploader. Problems? Try the Browser uploader instead."

    You can switch to the browser uploader at will.

    "Hey, tell us what you would like you name your admin login URL - and don't use something people can guess".

    That's something you really need to be told?

    :-)

    [edit] ..just a side note, 60 seconds tops on your site and anyone with more than just a basic introduction to the software can tell that you are using WordPress (or any other platform), whether you want them to or not.

  3. mikules
    Member
    Posted 2 years ago #

    "That's something you really need to be told?" At what point did you read that as I was talking about the account?

    When installing WP I think there should be a feature that asks the installer what they would like the admin folder called, instead of the default wp-admin. That's what I meant by admin login url, not the account name.

    Thank you for the links -- my anger is getting the best of me and just some common sense behind the installation (like mentioned above) would have been a nice thought to the installation. Changing the name of the folder just causes a lot more issues for the end-user.

    I have installed security plugins along with the login locker. I just want to avoid the wp-admin folder from even being seen.

    I have found one method, so far. However you have provided some links I am reading over now, and am going to look further into this.

    My apologies for my frustration, I'm simply trying to protect my site.

  4. ClaytonJames
    Member
    Posted 2 years ago #

    My apologies for my frustration, I'm simply trying to protect my site.

    That's minimizing it a bit. Whatever. Spend some time learning about what you're trying to do, and learning about WordPress. Focus on what really gets you hacked, instead of trying to change directory names and paths - which, by the way - will probably only break your site every time you do an update or upgrade.

    When installing WP I think there should be a feature that asks the installer what they would like the admin folder called, instead of the default wp-admin. That's what I meant by admin login url, not the account name.

    I knew what you meant. When you get a chance, you should read all of this article. It really does a good job of pointing to and identifying the multiple points of potential weaknesses, when it comes to getting compromised. It also addresses how to secure /wp-admin and /wp-includes, and your wp-config file. Also take a look at the links at the bottom for Additional Resources on password protecting directories and securing WordPress. There are also links to the Security FAQ, and other resources.

    Good luck to you!

  5. MickeyRoush
    Member
    Posted 2 years ago #

    I have installed security plugins along with the login locker. I just want to avoid the wp-admin folder from even being seen.

    Try the wSecure plugin:
    http://wordpress.org/support/topic/protect-you-wordpress-site-with-wsecure-authentication-1?replies=1

    Another option would be using .htaccess and RewriteRules to obscure wp-admin, wp-login.php, etc.

    Also, if you authenticate (password protect) your wp-admin directory you're going to need to whitelist certain files for those that don't have the information to access via authentication. But if you have access to it, it should not prevent you from uploading images. Your image uploading issue may be related to something else.

    example of whitelisting certain files within wp-admin:

    <FilesMatch "^(admin-ajax|async-upload|comment|image|media(-upload)?)\.php)$">
    Order allow,deny
    Allow from all
    Satisfy any
    </FilesMatch>

    All CMSs address some of the same and different security issues. No matter what CMS you use there will security steps that you'll need to take. If you think WordPress has problems addressing security, you should try Joomla. 'smirk'

  6. Pangeran Wiguan
    Member
    Posted 2 years ago #

    I doubt he will like Joomla. lol

    Well, I've been using WordPress since version 1.5

    There's one time where my blog was deface but that just once and after that updates, WordPress are getting easier to use and secure.

    While wasting time to secure the website, it's better to also have a frequent back up and use the time for worrying to develop the content. Let WordPress team do their job. It's free open source software btw. We don't like it then don't use it.

    There's other engine such as blogengine and serependity that you can try, I bet they are more secure. (O RLY?)

  7. mikules
    Member
    Posted 2 years ago #

    You all have provided me a lot of resources and I have found one that does in fact help protect (not entirely) but does help by using what MickeyRoush has (basically) said.

    I have the page setup to block all users if cookie is not found within the users browser (I have also denied being able to read any .htaccess files). Instead if you want to update content you need a specific url that gives you the cookie and then allowing you access to the admin page. I know it's not 'that' secure, but I'm trying. I have gone through the entire site and plugged up every hole possible, along with doing scans on sql files and other means of protecting the site.

    I have also turned off access to the plugins folder as well as the content folder by turning off indexing in those areas.

    The Joomla idea seems great but unfortunately I can't view the code to to see how safe the plugin is -- without purchasing it. So, I think that one is out of the question. It seems like a good plugin, but without seeing its code first I can't trust it.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.