After reading about greywolf’s blog being defaced as well as a few others, I thought I’d tighten up security a little. According to comments by shoemoney, it looks like the vulnerability is exposed by accessing some of the files contained within the /wp-admin folder. This should be fixed with the 2.0.7 Wordpress upgrade [2.1 is also now available], however, let’s add a little extra security with a htaccess file. This will limit access to this folder by IP address. Any attempts at accessing any file within this folder will be greeted with a Forbidden error message.
I placed this file in the /wp-admin folder (DO NOT REPLACE/EDIT THE .htaccess FILE IN THE ROOT FOLDER OF YOUR BLOG)
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
Update: Note that this is was temporary fix until the next version of Wordpress came out. If you do limit access to your wp-admin folder by IP address you may have to update it if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
You may also want to check out Michael’s Login Lockdown plugin which will prevent attackers trying to brute force their way in. Failed login attempts are recorded and after a set amount of failed logins, it blocks an IP range for 1 hour by default.
April 9th, 2007 at 3:11 pm
What do I name the file and what does this do exactly for the wp-admin folder??
April 9th, 2007 at 7:15 pm
Jason: the file needs to be named “.htaccess” without the quote marks. It prevents hackers trying to get into your Wordpress administration area by only allowing access to the listed IP addresses. This was really intended as an emergency/temporary solution when someone found a Wordpress exploit, however, if you’re running the latest version you should be safe from that particular issue.
June 13th, 2007 at 6:58 am
Nice
July 19th, 2007 at 8:59 am
Hey Guys,
Nice tips, I will launch a blog based at my site… I will apply some of…
Take care…
August 11th, 2007 at 2:10 am
Great article and useful, tnx dude.
August 17th, 2007 at 1:45 am
I’ve read the commnets of Matt Cutts about Wordpress - he says that keeping the .htaccess file in root directory is unsafe. How can it be moved to /wp-admin/ directory?
August 17th, 2007 at 10:14 am
said
Wordpress uses it’s own .htaccess in the root of the blog - do not edit or move that file.
The tips here are to create a new .htaccess file and store it in the wp-admin folder.
Do not edit or overwrite the .htaccess file in the root of your blog as you may completely break your blog.
October 2nd, 2007 at 3:34 am
That is actually good advice reuben, god I wish I would have know that a few months ago, it would have saved me some pain.
November 21st, 2007 at 11:54 pm
I am wondering how to separate wp-admin and place it in another server instead being on one server with the display.
March 23rd, 2008 at 2:27 pm
u know i am trying to do that but for some reason i am geting the right path…i am tryig to protect my admin panel…i have read many htacess but still for some resaon not sccessful
i dont knw how to go about doing it
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
also with ur method with ip if they have dynamic ip how would u go about doing that