WordPress.org

Ideas

Protect wordpress admin folder

  1. Ipstenu (Mika Epstein)
    Administrator

    The reason for the wp-config being moved is that there's pertinent data (passwords) in that file.

    There is absolutely nothing in your wp-admin that isn't in mine :)

    Posted: 4 years ago #
  2. SEO Dave
    Member

    Is there any harm in adding a default .htaccess file within the wp-admin folder for all users and/or security within the root .htaccess file by default?

    I know it doesn't work for Windows servers, wouldn't it be ignored (never used a Windows server)?

    I use BulletProof Security and have to admit don't understand half the rules it's adding to the .htaccess files, but it does appear to be adding protection for some known plugin vulnerabilities.

    Makes a lot of sense to me to have something like this in WordPress core even if it doesn't work for all users.

    When we had the Timthumb vulnerability wouldn't it have made sense to add a .htaccess rule like I see with the BPS plugin

    # TIMTHUMB FORBID RFI BY HOST NAME BUT ALLOW INTERNAL REQUESTS

    When the next version of WordPress was released so those who don't upgrade their plugins/themes or are using themes/plugins that haven't been updated (you can still find themes running Timthumb version 1 now) are protected (at least those running Apache are)???

    David

    Posted: 4 years ago #
  3. Slabescu
    Member

    12345

    This is a very good idea :) I don't have security problems yet, but it's better to prevent.

    Posted: 4 years ago #
  4. altanio
    Member

    12345

    I totally agree with above comment..... That's is wonderful idea... cheers...

    Posted: 4 years ago #
  5. leethompson
    Member

    Hey guys I will try to write aplugin for this but for now just you can limit the access to wp-admin section for users that have admin privileges.Add a simple function to our theme’s functions.php file to limit that access. At the bottom of your functions.php file, add this:

    ############ Disable admin access for users ############

    add_action('admin_init', 'no_more_dashboard');
    function no_more_dashboard() {
      if (!current_user_can('manage_options') && $_SERVER['DOING_AJAX'] != '/wp-admin/admin-ajax.php') {
      wp_redirect(site_url()); exit;
      }
    }

    ###########################################################

    Posted: 4 years ago #
  6. Ipstenu (Mika Epstein)
    Administrator

    FYI, there's this: http://wordpress.org/extend/plugins/wp-hide-dashboard/

    Which hides it.

    Posted: 4 years ago #
  7. leethompson
    Member

    Mika,
    I like to keep anyone from hitting any section of the wp-admin for security reasons. I made a plugin that uses the code above and it answers some basic questions thet I know users will ask. To have the full functionality of the wordpress site, like user profiles allowing members to contribute. So far I havent had bad reviews and it makes wp-admin a thing of the past. I am making changes to this so that only admins have access to the wp-admin at anytime. You can see it here http://wordpress.org/extend/plugins/no-more-admin/ I know its crazy to require other plugins for this, soon I will have the features built in where you will not need this.

    Lee

    Posted: 4 years ago #
  8. Ipstenu (Mika Epstein)
    Administrator

    I like to keep anyone from hitting any section of the wp-admin for security reasons.

    Not to put too fine a point on it but ... that's not going to do a damn bit of security good. Look, your house has to have a door, right? You don't hide the door, you get a better lock. Hiding wp-admin from non-admins just means the attackers will head after your account and not theirs.

    And I saw your plugin (I reviewed and approved it FWIW). I still think you're doing it wrong, but I respect your right to do it :)

    None of that is 'security.' I hide the dash because people don't need it, not to make things any safer.

    Posted: 4 years ago #
  9. leethompson
    Member

    Mika,
    I respect what you have just said,"None of that is 'security.' I hide the dash because people don't need it, not to make things any safer." what about adding a second function that will require the admin's to enter a 2nd password that is different from the default one.
    I understand the risk of attackers going after my user, and I use a lock out function after 3 failed attempts. If this happend 5 times it requires a password change.
    As I am a young developer for WP and learning I appreciate all the tips you provide.

    Lee

    Posted: 4 years ago #
  10. Ipstenu (Mika Epstein)
    Administrator

    You have to separate your goals and understand what are, I agree, subtle differences.

    Keeping users out of places they shouldn't be is security, and it's built in to WP via user roles. That's what keeps your users from being able to edit themes, for example.

    Keeping users out of places they don't need is hiding the dashboard. That's not security, that's just stoping people from getting overwhelmed, or being annoying/annoyed.

    Now the need to 'secure' WordPress is a weird thing, because the built in security is surprisingly effective.

    You can only do things if your account has permission, so the first step is to make sure only the right person can log in as the right account. We can do that in three ways:
    1) Good passwords
    2) HTTPS logins - http://codex.wordpress.org/Administration_Over_SSL
    3) Picking good web hosts

    There's also 'Only use reputable themes and plugins that you have vetted' but that's a little harder for the general users. Hang on to that. You should be doing it ;)

    From a basic install, WP is pretty secure. Or at least it's as secure as we can make it, so really I wouldn't worry too much about that. Having a login-lockout is a great thing if you expect a lot of traffic or people trying to hack in. Otherwise, you really don't need it, and it will annoy the ... less experienced users.

    Posted: 4 years ago #

RSS feed for this topic

Reply »

You must log in to post.

  • Rating

    12345
    48 Votes
  • Status

    Sorry, not right now