WordPress.org

Ready to get started?Download WordPress

Forums

two separate domains, one for blog and one for wp-admin (4 posts)

  1. Julian Fox (greataussiepie)
    Member
    Posted 7 months ago #

    Hi,

    I am just reading over the codex on how to harden WordPress and the administering over SSL.

    I am wondering if it would be possible at all and if this would help with security at all, if you were to give your main blog and the wp-admin back end two separate domain names.

    so http://www.example.com and http://www.admin-example.com, the idea here being to make it almost impossible for someone to find your backend, because its domain name could be anything.

    I'm thinking that a really good hacker might be able to just use your websites IP address instead of a domain name, which would make this idea redundant. However, i can't help but wonder if it would be possible or even worth doing.

    Something tells me if you could use two domain names and two separate servers for your wp-admin and main blog, and be able to keep the domain name and ip of the wp-admin server hidden then i suppose it might work.

    if a hacker could get in to ur wp-admin, they can get into ur config file and find the location of your mysql server, but i bet with some fancy tools they can detect where the mysql requests are going just be browsing the website.

    I'm not sure is the right place to post this, but if anyone has any comments or info that would be cool :)

  2. Cory Gibbons
    Member
    Posted 7 months ago #

    I'm sure it's possible, but it's definitely not practical.

  3. catacaustic
    very awesome
    Posted 7 months ago #

    That's called "security through obscurity" and it's the least effective method of security available today. In the "real world" bots don't just search for a login page on your domain, they'll search for a login page on any site that they find, and sooner or later one of them will come across your admin sites URL and the attempts wil start there.

    And remember that just because the domain name could be just about anything, there's a whole lot of services out there that know and record which URL's you visit, and any of these can publish a URL that they find in their search results. On top of that pretty much all browser toolbars report back to their companies and unless that company has a very good privacy policy, the URL lists that they harvest can be sold off to anyone that's willing to pay for them.

    On top of all that... any realyl good hacker won't go through the login form anyway. They'll exploit different vunerabilities that don't leave that sort of trace, and a rea lot harder to track down. Anything targeting the login page is a pretty simple brute-force attack which can be blocked by some very simple measures.

  4. Julian Fox (greataussiepie)
    Member
    Posted 7 months ago #

    thanks for the comments. you make some good points catacaustic

Reply

You must log in to post.

About this Topic

  • RSS feed for this topic
  • Started 7 months ago by Julian Fox (greataussiepie)
  • Latest reply from Julian Fox (greataussiepie)
  • This topic is not resolved
  • WordPress version: 3.9.1