Blog

Firming up WordPress’s security

There’re thousands of articles out there describing how to secure WordPress better against attacks, but I still had a little difficulty with the nuts and bolts, so I thought I’d detail the process I underwent here.

I recently had a bit of a security breach – some lowlife broke into my account and injected some phishing stuff into my personal webmail software. Consequently, I went on a bit of a security binge and deleted some apps I wasn’t using much, changed all of my passwords to ridiculously long strings, and set up layers of HTTP authentication on my WordPress login/admin pages, the latter of which is described here.

The general idea is to make it hard to get to the login/admin pages in the first place, which should block some attacks.

The AskApache password protect WordPress plugin will do all of this for you, unless it thinks your webserver doesn’t have the supporting software. It failed for me on Site5, saying I lacked HTTP digest authentication support, which is actually not true, as it’s enabled. I couldn’t be bothered debugging it though, so I proceeded with the manual route.

Create the password file

First, I created an htpasswd file, containing a login and password. There’re many sites describing how to do this, but on the terminal, it’s fairly easy:

htpasswd -c /path/to/.htpasswd myusername

Note that it’s a good idea to put the .htpasswd file somewhere outside the web root – your account’s home directory is one option.

Protect the login page

I opened up the .htaccess in the WordPress root folder, and added the following:

ErrorDocument 401 default
 
AuthUserFile /path/to/.htpasswd
AuthName "Blog"
AuthType Basic
 
<Files "wp-login.php">
    require valid-user
</Files>

Note that ‘ErrorDocument 401 default’ line – this is in place to avoid getting a ‘404’ error whenever you load up the login page. I’m not entirely sure of the details, but it seems that if the rewrite module is used (the thing that allows WordPress to define an arbitrary website structure, without needing physical files), then this causes problems with HTTP authentication.

Also, if you wish to protect access to the XMLRPC access point as well, you can add the following:

<Files "xmlrpc.php">
    require valid-user
</Files>

However, if you do this, I’m pretty sure pingbacks (the WordPress-specific version of trackbacks) will no longer work. I think trackbacks will still be functional – as far as I know, they use a different access point. If you use a desktop blogging app, you’ll want to make sure it can handle HTTP authentication. I know ecto can.

Protect the admin area

Finally, I created a new .htaccess file in the wp-admin directory, which looks like this:

ErrorDocument 401 default
 
AuthUserFile /path/to/.htpasswd
AuthName "Blog"
AuthType Basic
 
require valid-user
, . Bookmark the permalink. Both comments and trackbacks are currently closed.

5 Comments

  1. Posted May 25, 2009 at 11:55 am | Permalink

    To be honest your making hard work of things, why don’t you just drop a new .htaccess file in your wp-admin directory that only allows access to that folder and all files within it from one IP Address only (yours). To do that use this code (change the IP of course) to suit yours

    Order Deny,Allow
    Deny from all
    Allow from 11.111.11.111

    Robots don’t need to index anything in your wp-admin folder, so you have no worries about them being blocked also. However, also add an entry in your robots.txt file to disallow all robots from wp-admin folder for better SEO and to tell robots not to bother anyway trying to gain access there like Google, Yahoo, MSN etc.

    Now you will have better SEO and only you alone will be allowed access not only to your admin login page, but the whole wp-admin directory.

    You should also block all access to your wp-config.php file also, again add this to your .htaccess file in your ROOT directory were you config file resides that conatins your wordpress code in it also.

    <Files wp-config.php>
    Order Deny,Allow
    Deny from All
    </Files>

  2. Posted May 25, 2009 at 11:59 am | Permalink

    I’ve added some breaks in to display the code hopefully better for you.

    Goes in .htaccess file dropped in wp-admin folder

    Order Deny,Allow
    Deny from all
    Allow from 92.239.86.166

    Add to your wordpress .htaccess file at the top to protect your wp-config file

    <Files wp-config.php>
    Order Deny,Allow
    Deny from All
    </Files>

  3. Posted May 25, 2009 at 12:14 pm | Permalink

    Good comments! It's worth noting that, for those who don't have a fixed IP address (like me, for better or worse), this will require regular updating to match your current IP.

    It may be worth also limiting access to wp-login.php and possibly the xmlrpc.php RPC entry point, if one's feeling particularly paranoid – that can be done using the 'Files' directive, with the same stuff from aquariumfish above.

  4. Posted May 25, 2009 at 1:08 pm | Permalink

    Hmm, I never took into concideration that if you limit your whole wp-admin directory to be accessed by just one IP Address that it may effects PING BACKS reading your comments above. Also I just read other issues it can cause also. Read this thread here: http://bad-neighborhood.blogsblogsblogs.com/2007/08/29/login-lockdown-a-new-wordpress-security-plugin/

  5. Posted June 29, 2009 at 4:20 am | Permalink

    Hi! I’m using your wordpress template – hope that is ok? Those code-blocks you have in this post…is that the “quote” function? Cause in my wordpress the quote-function is not showing a frame with another color like yours is doing here… (sorry for my bad english)

    Best greetings Ben