After reading about greywolf’s blog being defaced as well as a few others, I thought I’d tighten up security a little. According to comments by shoemoney, it looks like the vulnerability is exposed by accessing some of the files contained within the /wp-admin folder. This should be fixed with the 2.0.7 WordPress upgrade [2.1 is also now available], however, let’s add a little extra security with a htaccess file. This will limit access to this folder by IP address. Any attempts at accessing any file within this folder will be greeted with a Forbidden error message.
I placed this file in the /wp-admin folder (DO NOT REPLACE/EDIT THE .htaccess FILE IN THE ROOT FOLDER OF YOUR BLOG)
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
</LIMIT>
Update: Note that this is was temporary fix until the next version of WordPress came out. If you do limit access to your wp-admin folder by IP address you may have to update it if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
You may also want to check out Michael’s Login Lockdown plugin which will prevent attackers trying to brute force their way in. Failed login attempts are recorded and after a set amount of failed logins, it blocks an IP range for 1 hour by default.
(20 votes, average: 4.40 out of 5)
Loading ...
April 9th, 2007 at 3:11 pm
What do I name the file and what does this do exactly for the wp-admin folder??
April 9th, 2007 at 7:15 pm
Jason: the file needs to be named “.htaccess” without the quote marks. It prevents hackers trying to get into your WordPress administration area by only allowing access to the listed IP addresses. This was really intended as an emergency/temporary solution when someone found a WordPress exploit, however, if you’re running the latest version you should be safe from that particular issue.
June 13th, 2007 at 6:58 am
Nice
July 19th, 2007 at 8:59 am
Hey Guys,
Nice tips, I will launch a blog based at my site… I will apply some of…
Take care…
August 11th, 2007 at 2:10 am
Great article and useful, tnx dude.
August 17th, 2007 at 1:45 am
I’ve read the commnets of Matt Cutts about WordPress – he says that keeping the .htaccess file in root directory is unsafe. How can it be moved to /wp-admin/ directory?
August 17th, 2007 at 10:14 am
said
WordPress uses it’s own .htaccess in the root of the blog – do not edit or move that file.
The tips here are to create a new .htaccess file and store it in the wp-admin folder.
Do not edit or overwrite the .htaccess file in the root of your blog as you may completely break your blog.
October 2nd, 2007 at 3:34 am
That is actually good advice reuben, god I wish I would have know that a few months ago, it would have saved me some pain.
November 21st, 2007 at 11:54 pm
I am wondering how to separate wp-admin and place it in another server instead being on one server with the display.
March 23rd, 2008 at 2:27 pm
u know i am trying to do that but for some reason i am geting the right path…i am tryig to protect my admin panel…i have read many htacess but still for some resaon not sccessful
i dont knw how to go about doing it
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
also with ur method with ip if they have dynamic ip how would u go about doing that
February 10th, 2009 at 6:58 pm
Reubenyau
Im using a hosting plan that allows multiple domains, The problem im having is this htaccess isnt working on this peticular plan, Im guessing its something to do with the dev/null/ maybe
It works on single domain plans though, as ive tested it
Please get back to me, I need to protect my sites.
February 27th, 2009 at 5:50 pm
I cannot emphasise enough how important it is to protect your admin directory. Given this post relates to version 2.1 don’t think the latest version (2.7) should take care of this security issue. WordPress is pretty good out of the box but addtional protection in the form of htaccess file is a must have no matter what version you are using.
June 14th, 2009 at 10:53 pm
Thanks for the tips on how to fix this issue with wordpress. Till they launch their updated version this can keep things under control.
September 30th, 2009 at 10:57 pm
I used the code below to protect wp-admin. Now all users who go to the main page are being prompted the the “WordPress Admin Access Control” password rather than the password assigned to their subscriber accounts. If they hit cancel several times, the login page that uses the subscriber info appears. Any ideas?
AuthName “WordPress Admin Access Control”
AuthType Basic
AuthUserFile /homepages/**/********/htdocs/.htpasswd
order deny,allow
deny from all
require valid-user
# whitelist *****’s IP address
allow from **.**.***.***
Satisfy Any
May 22nd, 2010 at 11:28 am
Very good post, awesome read, thanks
June 11th, 2010 at 3:25 am
Super tips man. This will help me secure my blog more..
Can also use wordpress secure connection plugin.
August 15th, 2010 at 6:08 am
I’ve created a small script which helps people without a fixed IP to get all network ranges of their provider. The output can be directly added to the .htaccess file. Here in Germany the script works well for bigger providers, I don’t know if it works in other countries. But I assume it does.
The output of the perl script looks like:
allow from XXX.X.XXX.0/24
allow from XXX.X.XXX.0/24
….
The script and some more explanation is available from:
http://technitip.net/2010/08/how-do-you-protect-your-blog-from-hackers/
It’s only needed to replace the netname within the script. On the page it described how to find out the dial-in netname from your provider.
I hope it’s useful.
Greetings from Germany,
Harry