Protecting the WordPress wp-admin folder
After reading about greywolf’s blog being defaced as well as a few others, I thought I’d tighten up security a little. According to comments by shoemoney, it looks like the vulnerability is exposed by accessing some of the files contained within the /wp-admin folder. This should be fixed with the 2.0.7 WordPress upgrade [2.1 is also now available], however, let’s add a little extra security with a htaccess file. This will limit access to this folder by IP address. Any attempts at accessing any file within this folder will be greeted with a Forbidden error message.
I placed this file in the /wp-admin folder (DO NOT REPLACE/EDIT THE .htaccess FILE IN THE ROOT FOLDER OF YOUR BLOG)
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
</LIMIT>
Update: Note that this is was temporary fix until the next version of WordPress came out. If you do limit access to your wp-admin folder by IP address you may have to update it if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
You may also want to check out Michael’s Login Lockdown plugin which will prevent attackers trying to brute force their way in. Failed login attempts are recorded and after a set amount of failed logins, it blocks an IP range for 1 hour by default.
What do I name the file and what does this do exactly for the wp-admin folder??
Jason: the file needs to be named “.htaccess” without the quote marks. It prevents hackers trying to get into your WordPress administration area by only allowing access to the listed IP addresses. This was really intended as an emergency/temporary solution when someone found a WordPress exploit, however, if you’re running the latest version you should be safe from that particular issue.
Nice
Hey Guys,
Nice tips, I will launch a blog based at my site… I will apply some of…
Take care…
Great article and useful, tnx dude.
I’ve read the commnets of Matt Cutts about WordPress – he says that keeping the .htaccess file in root directory is unsafe. How can it be moved to /wp-admin/ directory?
said
WordPress uses it’s own .htaccess in the root of the blog – do not edit or move that file.
The tips here are to create a new .htaccess file and store it in the wp-admin folder.
Do not edit or overwrite the .htaccess file in the root of your blog as you may completely break your blog.
That is actually good advice reuben, god I wish I would have know that a few months ago, it would have saved me some pain.
I am wondering how to separate wp-admin and place it in another server instead being on one server with the display.
u know i am trying to do that but for some reason i am geting the right path…i am tryig to protect my admin panel…i have read many htacess but still for some resaon not sccessful
i dont knw how to go about doing it
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
also with ur method with ip if they have dynamic ip how would u go about doing that
Reubenyau
Im using a hosting plan that allows multiple domains, The problem im having is this htaccess isnt working on this peticular plan, Im guessing its something to do with the dev/null/ maybe
It works on single domain plans though, as ive tested it
Please get back to me, I need to protect my sites.
I cannot emphasise enough how important it is to protect your admin directory. Given this post relates to version 2.1 don’t think the latest version (2.7) should take care of this security issue. WordPress is pretty good out of the box but addtional protection in the form of htaccess file is a must have no matter what version you are using.
Thanks for the tips on how to fix this issue with wordpress. Till they launch their updated version this can keep things under control.
I used the code below to protect wp-admin. Now all users who go to the main page are being prompted the the “WordPress Admin Access Control” password rather than the password assigned to their subscriber accounts. If they hit cancel several times, the login page that uses the subscriber info appears. Any ideas?
AuthName “WordPress Admin Access Control”
AuthType Basic
AuthUserFile /homepages/**/********/htdocs/.htpasswd
order deny,allow
deny from all
require valid-user
# whitelist *****’s IP address
allow from **.**.***.***
Satisfy Any
Very good post, awesome read, thanks
Super tips man. This will help me secure my blog more..
Can also use wordpress secure connection plugin.
I’ve created a small script which helps people without a fixed IP to get all network ranges of their provider. The output can be directly added to the .htaccess file. Here in Germany the script works well for bigger providers, I don’t know if it works in other countries. But I assume it does.
The output of the perl script looks like:
allow from XXX.X.XXX.0/24
allow from XXX.X.XXX.0/24
….
The script and some more explanation is available from:
http://technitip.net/2010/08/how-do-you-protect-your-blog-from-hackers/
It’s only needed to replace the netname within the script. On the page it described how to find out the dial-in netname from your provider.
I hope it’s useful.
Greetings from Germany,
Harry
So if I have wp 3.0 or above is any of this necessary?
Very useful tip! Thanks +1
I’ve just used this because WordPress apparently still has security holes.
This is little difficult for peoples with dynamic IP address. Login Lockdown seems better