In this second part of the series we will explore ways of hardening the Login Page and Admin area. The entry point in a WordPress installation is the login page. That’s probably the first place where anyone trying to hack your WordPress installation is going to look. It’s like checking how hard the front door is secured before looking out for a backdoor.
Proper username and password
In order to make it harder for hackers (and for script kiddies alike), you have to choose a proper username for the WordPress superuser. No, admin isn’t one. Because all WordPress installations since the beginning of Earth history default to the admin username for the most privileged account, and until recently you couldn’t even choose a different name, the admin user it’s the first one that your potential hacker is going to try to break. Any name will suffice, but please don’t be silly and use root instead of admin. After all, you do have some creativity in you, don’t you?
You can select your username during the WordPress installation process. If you WordPress is already installed you will need to fiddle with the database. You can do that easily with phpMyAdmin.
Tied to the election of a new username is the election of a password. I’m not going to tell you how to do that, you’re grown up now, so you know about mixing upper case, lower case, numbers and symbols, and the 8 characters minimum, and the more characters the better. So please avoid rubbish like ‘jane69′, and say ‘Hi’ to your girlfriend Jane for me.
IP lock after failed login attempts
Another trick consists in limiting the number of (failed) queries to the login page per IP. If the user fails to enter their username or password say three times, its IP is blocked for a specified number of minutes. This protection can easily be defeated by changing your IP, but it makes really tedious, slow and annoying to generate a brute-force attack with a password dictionary if the attacker is not using a zombie network.
The easiest way to achieve this is using a plugin. Login Lockdown seems to be the most popular and it’s really simple to configure, although there are several others with similar features in the WordPress Plugin Directory.
Login Lockdown configuration screen
Using mod_digest to add another username/password layer
If your host is not rubbish, you can add another layer of security using Apache control access. As a result of this, when you try to access the Admin area, the browser will present you first with an dialog requesting one username and password for HTTP autentication, and if successful redirect to the WP Login page, where you will have to enter the normal username and password that you created during WordPress installation.
Warning: this tip won’t help against man-in-the-middle attacks, so if you are working from an insecure network, this will not deter hackers. The only way to avoid that type of attacks is by using the SSL protocol which requires buying or creating a certificate and a little bit of server configuration. For blogs this is (usually) not necessary.
Back in the days the common way to add control access to an Apache installation was using mod_auth. The problem with mod_auth is that it uses weak key encryption, so it’s not very secure. For that reason mod_auth has been superseded by mod_auth_digest which is an almost drop-in replacement for it.
To activate the control access we first need to create a .htdigest file which will contain the information of the username and password that we are going to use to access the Admin directory. The syntax for the command would be:
htdigest -c .htdigest realm username
The -c option will indicate htdigest to create a new .htdigest file in our current location (so be sure that you are in the /wp-admin directory for that is the want that we want to prevent access to). realm is a token to identify the secure area that we are creating and it can have any value that you want, just take note of it because you will need it in the next step. Finally, username is the name of our newly created user. Note than the username and password pair can be whatever you want but if you want this trick to be useful at all they should be different to WordPress’ username and password. The software will then ask for the new password.
.htdigest file inside the directory that we want to protect (/wp-admin in this case), but it’s standard practice and less messy anyway if you want to protect several directories with diferent users to have each .htdigest on the proper location.Once .htdigest is created we must instruct Apache to honor the username and password each time someone wants to access that directory. For that purpose we create a .htaccess file (which must be in the directory we want to protect) with the following content:
AuthType Digest
AuthName realm
AuthUserFile /path/to/.htdigest
Require user username
Where realm is the token we used when creating our user and username is our .htdigest username (Remember: not our WordPress username!)
Tip: If you are going to create several different users with access to the same directory, you can use the directive Require valid-user instead of enumerating all the usernames in Require user.
There is at least one plugin that can help you through this process, it’s called AskApache Password Protect, and has other interesting security features.
Allowing access only from certain IPs
If you are always accessing your admin panel from a concrete location (e.g. your business) and you have one (or range of) fixed IP, you can use a similar procedure to instruct Apache to only allow IPs from that range to access the admin area. Remember that if your IP is not fixed, this could/would prevent access to your own website.
The process is simple, just add the following to the .htaccess file in the /wp-admin directory:
Order Deny,Allow
Deny from all
Allow from ip
where ip is the IP address which you want to grant access to the admin area. If someone from an IP address other than the specified try to access the area he will receive a 403 Forbidden error. This is independent (but compatible with) the previous tip.
If you want to allow a range of ips (all of your business computers for instance) to access the Admin area, you can do it by specifying a range of ips in one of the following ways:
Allow from 10.0.0.0/24
Allow from 10.0.0.0/255.0.0.0
Allow from 10.
Any of this three lines in .htaccess will grant access to all ips from 10.0.0.1 to 10.255.255.255.
If you want to try more complex stuff, you can learn about the syntax of .htaccess files in the .htaccess tutorial in the Apache Documentation.
In the next entry in this series we will explore some advanced tips for securing the database, some minor tips, and a roundup of interesting plugins.