arrow_upward

Pages (2):
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
More wordpress security for login management page
#1
Hello . My friends, I use Wordpress for my site. For more security, I want the link www.mydoamin.com/admin to be disabled, and whenever I need to login, I need to enable it ... Please help.
[font=MsYekan, Tahoma]I want to do this because I've had several unsuccessful logs of different IPs that have tried to infiltrate the site's management system many times. I use the php security system to edit a series of site information, and I close it whenever I don't need it, but this is also very important for / admin.[/font]
#2
You can do two easy things to prevent unauthorized access to the Wordpress Administration Dashboard.

1. Use .htaccess or configure your vHost to add another login that appears before the Wordpress Administration Dashboard that has absolutely different login details (Access Control List).
2. Use .htaccess or configure your vHost to accept only certain IP addresses and allow them to open the Wordpress Administration Dashboard (IP based Access Control List).
(3. Add 2 factor authentication to your Wordpress blog.)

Resources for username and password authentication:
- https://httpd.apache.org/docs/2.4/howto/auth.html
- https://tecadmin.net/configure-basic-aut...-htaccess/
- https://docs.nginx.com/nginx/admin-guide...ntication/
- https://www.booleanworld.com/set-basic-h...ion-nginx/


Resources for IP based access control:
- https://httpd.apache.org/docs/2.4/howto/access.html
- https://www.cyberciti.biz/faq/apache-res...rectories/
- https://support.hypernode.com/knowledgeb...-in-nginx/
- https://www.cyberciti.biz/faq/linux-unix...rol-howto/


I would actually recommend option 2 over option 1 because option 1 would only add another layer of bruteforce login while option 2 simply will lock everyone out who is NOT whitelisted.

I would stay away from any additional Wordpress plugin unless you can make sure it is very safe. You can however actually add a proper 2 factor authentication system if Wordpress has that.
[Image: zHHqO5Q.png]
#3
Well, as a matter of fact it's even possible to change the wp-admin and wp-login URL, making the Admin area private. You'll need to do a bit of research tho, however, this tutorial still works for changing the Admin URL - https://wordpress.org/support/topic/how-...ure-login/
Sayan Bhattacharyya,

Heartiest thanks to Post4VPS and Virmach for my wonderful VPS 9!
#4
(05-16-2020, 01:58 PM)hamed Wrote: Hello . My friends, I use Wordpress for my site. For more security, I want the link www.mydoamin.com/admin to be disabled, and whenever I need to login, I need to enable it ... Please help.
[font=MsYekan, Tahoma]I want to do this because I've had several unsuccessful logs of different IPs that have tried to infiltrate the site's management system many times. I use the php security system to edit a series of site information, and I close it whenever I don't need it, but this is also very important for / admin.[/font]

@"Hidden Refuge" suggestion is excellent and an eye-opener for me too.  I really like WordPress myself and have been using it for many years.  WordPress is the one script that is great to have, but only when you are responsible enough to know that you can't afford to take any risks with it.  Particularly since there are thousands of exploits that have been developed to match every possible risk you can take with the script.  That's why WordPress needs to be updated so regularly.  Mostly because some or other script kid discovered a new security hole.  NEVER use nulled themes or plugins.  Like with WordPress you can't get away with that.  Some or other time, because there are thousands of script kiddie bots that have penetrated every known weakness in WordPress script, it will trip you up, guaranteed!

So am curious to know whether you are using the security plugin WordFence.  It is a free plugin so if you are connected to WordFence with your e-mail address, they will monitor your WordPress site and particularly the access through the Admin Panel.  They're very strict.  So if someone tries to access your WordPress site breaking some security setting (which you can set yourself in the Admin Dashboard - or the default settings of the plugin are also very good), they will automatically disable your admin panel.  When it first happened to me (it rarely happens, but it has happened to me twice in many years), when I tried to access my Admin Panel there was a WordFence pop up that came up that XYZ exploit was in process and they blocked it for this that or the other reason - I couldn't get in.  They tell you exactly why they blocked your access through Admin Panel.  So I learned (possibly common sense) to get back in you need to first disable the WordFence plugin by going into your FTP client and put a number or "x" in front of the plugin folder.  You'll then be able to access your panel normally, and then make the changes to fix the security problem that WordFence pointed out, and then enable WordFence again.  That way you'll know your Admin Panel is safe.  WordFence also sends you regular updates of the latest WordPress exploits that have been uncovered.  Ordinarily I look at reports like those as spam, but their reports are really well written and researched, where they've actually done research and provide solutions as well.

Other thing is to NEVER have the user name Admin - try to make the user name very unique - not even like your own name.  You have to give the Admin Panel a complicated user name as there are bot networks going for particularly panels that use the user name admin - or a name or names that stand out in your Website.  It has to be a user name no one else would think off.  Also  make sure you have a really strong and complicated password and that all of your plugins are up to date and regularly maintained by the authors of the plugins too.  Don't use nulled anything, particularly themes.  Only use themes and plugins that have been vetted by WordPress and provide you with up to date information when last they have been updated by the author.  The older the plugin or theme gets, the more important it is for you to go back to WordPress to check when last they have been supported by the author. It is very easy to pick up on this when support questions in the discussion section of the plugin have gone unanswered for a long time, or there have been complaints.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
#5
@sohamb03

"Security through obscurity" is not security though. And that would only really work if you give it a absolutely random and long name so that a bruteforce attack to guess the name would take ages and the attacker would probably give up. It would be also very bothersome to access it unless you bookmark it on every device you use.


@deanhills

Just a fair warning about Wordpress and plugins. Even some of the biggest plugins and most active plugins have issues that for weeks or even months have sometimes left thousands of blogs or even more than just thousands open for attacks. Basically running a Wordpress blog with plugins is more of a security risk than running a straight up Vanilla blog.

There is a great site: https://wpvulndb.com/
[Image: zHHqO5Q.png]
#6
(05-16-2020, 02:17 PM)Hidden Refuge Wrote: You can do two easy things to prevent unauthorized access to the Wordpress Administration Dashboard.

1. Use .htaccess or configure your vHost to add another login that appears before the Wordpress Administration Dashboard that has absolutely different login details (Access Control List).
2. Use .htaccess or configure your vHost to accept only certain IP addresses and allow them to open the Wordpress Administration Dashboard (IP based Access Control List).
(3. Add 2 factor authentication to your Wordpress blog.)

Resources for username and password authentication:
- https://httpd.apache.org/docs/2.4/howto/auth.html
- https://tecadmin.net/configure-basic-aut...-htaccess/
- https://docs.nginx.com/nginx/admin-guide...ntication/
- https://www.booleanworld.com/set-basic-h...ion-nginx/


Resources for IP based access control:
- https://httpd.apache.org/docs/2.4/howto/access.html
- https://www.cyberciti.biz/faq/apache-res...rectories/
- https://support.hypernode.com/knowledgeb...-in-nginx/
- https://www.cyberciti.biz/faq/linux-unix...rol-howto/


I would actually recommend option 2 over option 1 because option 1 would only add another layer of bruteforce login while option 2 simply will lock everyone out who is NOT whitelisted.

I would stay away from any additional Wordpress plugin unless you can make sure it is very safe. You can however actually add a proper 2 factor authentication system if Wordpress has that.
Thank you very much for your explanation. I also choose option 2. But before that, I want to ask if it is possible to do something in cpanel that I needed the admin page to activate at any time? And I didn't need to keep it locked in cpanel with every trick at all times? I mean, the domain / admin will remain closed for all IPs when I don't need it, and I can only open it myself through the cpanel panel.
#7
@"Hidden Refuge" Yeah agreed. That's only a sorta measure to delay the process and not necessarily a method to ward off bruteforce attacks.

I'd also prefer option 2 of yours. Probably that's the best way to prevent any sort of attack on the Admin page, and if you've a static IP, it's brownie points. Big Grin

Moreover, I'm also in complete agreement with you regarding plugins. Sadly, some of the most beautiful WordPress plugins are back doors to doom your website. I've been the victim of a plug-in attack too, which I'd also mentioned in a previous post regarding WordPress here.



@hamed Yeah of course. You just edit your htaccess file again, add your present IP address there, and you get access to the wp-admin page. Then after you're done you can edit it back again. In my opinion, that'd be the most solid measure to prevent attacks on the wp-admin page. Smile

Regards,
Sayan Bhattacharyya,

Heartiest thanks to Post4VPS and Virmach for my wonderful VPS 9!
#8
(05-17-2020, 01:49 PM)sohamb03 Wrote: @"Hidden Refuge" Yeah agreed. That's only a sorta measure to delay the process and not necessarily a method to ward off bruteforce attacks.

I'd also prefer option 2 of yours. Probably that's the best way to prevent any sort of attack on the Admin page, and if you've a static IP, it's brownie points. Big Grin

Moreover, I'm also in complete agreement with you regarding plugins. Sadly, some of the most beautiful WordPress plugins are back doors to doom your website. I've been the victim of a plug-in attack too, which I'd also mentioned in a previous post regarding WordPress here.




@hamed Yeah of course. You just edit your htaccess file again, add your present IP address there, and you get access to the wp-admin page. Then after you're done you can edit it back again. In my opinion, that'd be the most solid measure to prevent attacks on the wp-admin page. Smile

Regards,
A hacker can never attack my site's admin page because my site is highly secure by the data center. But a super professional hacker can do that (crack). But you say attack. Anyone who wants to attack the site will not only attack one subdomain but also the entire site server
#9
Well, I think you didn't get the essence of what I meant. Don't take "attack" literally. I'm talking about a Cyber attack instead.

And afaik, your DC has nothing to do with securing your WP installation except providing DDoS protection. You are the one responsible for securing your website. An attack doesn't only consist of bruteforce, there are other forms like SQL Injection and so on.

What I meant is that you just momentarily edit your htaccess file to get access to WP Admin. This will ensure that all other IPs are denied access to the wp-admin directory, and no access = no attack (though not always).

Not sure what you mean by "Anyone who wants to attack the site will not only attack one subdomain but also the entire site server", but I think you're talking about DDoS attack, which I did mention above.

Regards,
Sayan Bhattacharyya,

Heartiest thanks to Post4VPS and Virmach for my wonderful VPS 9!
#10
(05-17-2020, 07:46 AM)Hidden Refuge Wrote: Just a fair warning about Wordpress and plugins. Even some of the biggest plugins and most active plugins have issues that for weeks or even months have sometimes left thousands of blogs or even more than just thousands open for attacks. Basically running a Wordpress blog with plugins is more of a security risk than running a straight up Vanilla blog.

There is a great site: https://wpvulndb.com/
No warning needed @"Hidden Refuge"  I've also said so in my response.  Using WordPress is a risk, and as far as possible I try to make it a calculated risk using tools that are at our disposal at the WordPress site.  Experience and learning are two very valuable tools.  Since WordPress is such a widely used script with possibly millions of users there are more than your average exploits going on, but there are also powerful tools that are being developed by expert users and developers to mitigate against those exploits. Not all of your users are necessarily inexperienced or lacking in IT sophistication - and some WordPress experts are making a living out of being genuine experts of WordPress. Key if you are a supporter of WordPress is to study their research or do training that is offered, know what the limitations are of WordPress, and try and avoid them as much as you can.  As said before you can mitigate against those but you can never eliminate the risk.  Also the more fancy you get with plugins and themes, the higher the risk.  I use the minimum of plugins, on a calculated risk vs function choice.  

But yes, compared with having a static site WordPress is a big risk - its greatest risk is the appearance of simplicity and ease but it can be misleading.  With a static site most of the time you can leave it unattended for extended periods of time.  But with WordPress you need to attend to it much much more often - and if you think you're going to be away for an extended period of time, you will need to turn off/disable all of the interactive plugins and comments.  From a shared host point of view WordPress has to be highest on the list of hacked sites when members of a post2host shared hosting forum abandon their hosting accounts for extended periods of time without putting their WordPress script, themes and plugins on automatic updates.  The more interactive the WordPress site is, i.e. when you are connected with social interaction through comments, or participation of members, the more regularly you have to attend to the Website, possibly daily monitoring is needed.  Using a WordPress script is risky for sure.  But depending on how you use it you could minimize those risks - not eliminate them, but protect against those.  And there are many tools available for that.  You just need to do your homework on what is available, follow common sense rules, and be vigilant all of the time.
Terminal
Thank you to Post4VPS and VirMach for my awesome VPS 9!  
Pages (2):
lockThread Closed 


Possibly Related Threads…
Thread
Author
Replies
Views
Last Post
4,331
03-13-2019, 02:08 PM
Last Post: rudra

person_pin_circle Users browsing this thread: 2 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting