Hiding, Securing & Changing WP-Admin
Your wordpress installation may not be secure
Once an open source system becomes so popular as wordpress very often it becomes vulnerable to attacks. I wonder why the folks at wordpress have not done anything to enhance the security of the admin site, which, by default, you can access by going to /wp-admin.
The problem is that if you rename the directory then your wordpress installation becomes broken. I’ve looked and I could not find a plug-in that would let you change the wp-admin folder to something else, or at least conceal it. The only result that I found about how to do this is by Michi Kono. However the solution proposed has a few drawbacks like some links no longer working. Of course you have the option of restricting access to selected IP addresses via .htaccess but if you are like most non-commercial internet subscribers you don’t have a static IP, which makes things more complicated.
So here is another solution to make wordpress more secure while keeping all wordpress functionality.
The first thing we need to do is to pick what “name” we want for your admin section. For purposes of this “tutorial” we will call it “secure-login”.
Note: You are about to modify crucial files in your wordpress installation. So do this at your own risk, and please, please backup your files before you do this.
Now, open your .htaccess file and add the following line after the “RewriteBase ” line.
RewriteRule ^secure-login$ wp-admin.php [L,NC,QSA]
so your .htaccess should look something like this.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^secure-login$ wp-login.php [L,NC,QSA]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
This tells your server that when you ask for “secure-login” you should be taken to wp-login.php
Now we need to edit wp-login.php which is located at the root of your installation. Add this before anything else.
session_start(); //See what file is being requested by the web client, also store the arguments just in case. list($file,$arguments) = explode("?", $_SERVER['REQUEST_URI']); //if the user just logged out, destroy this session and redirect them to root if("/wp-login.php?loggedout=true" == $file ."?" .$arguments || "action=logout" == substr($arguments, 0, 13)) { session_destroy(); header("location: /"); } //If our sentinel variable is set and true do nothing, allow normal script execution if(isset($_SESSION['valid_entrance']) && $_SESSION['valid_entrance'] == true) { /* As they say, "Silence is golden" */ } //Now if the user is requesting wp-login.php and our sentinel is not true, redirect the "attacker" to root. elseif($file == "/wp-login.php" && !isset($_SESSION['valid_entrance'])) { header("Location: /"); exit(); } //If the user is requesting the right login entrance set the sentinel to true elseif ($file == "/secure-login") { $_SESSION['valid_entrance'] = true; }
That’s all you need to do. Your wordpress installation just became more secure. Don’t forget to upload your updated files to your server.
I may do a plug-in whenever I find the time.
I would also recommend using Login Lockdown by Michael VanDeMar.
Let me know if you have any questions or recommendations for this
Related posts:
#1 by china wholesale on October 10th, 2009
Quote
This is really cool, and I cannot wait to try it. I will have to spread the word.
#2 by Joe on October 28th, 2009
Quote
Great info, thank you! I will be giving this a try in the next few days.
#3 by Ares on October 28th, 2009
Quote
Good, let us know how that goes.
#4 by WPnoob on October 30th, 2009
Quote
How can I get rid of the following:
Notice: Undefined offset: 1 in C:\wamp\www\ewcsa\html\wp-login.php on line 5
using WP 2.8.5 any help greatly appreciated.
This is working fantastically btw!
#5 by Ares on October 30th, 2009
Quote
Well, line 5 on my wp-login.html shows as a comment. Can you show me the first 20 lines or so of your wp-login to know what is going on?
Thanks.
#6 by WPnoob on October 30th, 2009
Quote
I tried to submit the code via this form.
Don’t know if it made it too you or not.
#7 by Ares on October 30th, 2009
Quote
Use a service like Code Dumper and just post the link to it. That will be easier.
#8 by WPnoob on October 31st, 2009
Quote
http://codedumper.com/amaqa
Thx. Looking forward to response.
#9 by Ares on October 31st, 2009
Quote
It seems like you are not sending any arguments to the login page, It’s not big deal, just add an @ in front of list so line 5 looks like this
@list($file,$arguments) = explode(“?”, $_SERVER['REQUEST_URI']);
Basically you are just ignoring the warning. That’s what the @ sign does.
That should take care of it.
Let me know how it goes.
#10 by WPnoob on October 31st, 2009
Quote
Thanks!
Curious, am I supposed to be passing arguments to the login page?
Love this technique for securing wp-admin. Absolutely awesome. Thank you.
#11 by Ares on November 2nd, 2009
Quote
WordPress sends some parameters to the login page to reset passwords, register, and so on. So in this way of doing it we save those arguments no to break other wordpress functionality.
Thats why
#12 by chinese wholesalers on December 16th, 2009
Quote
I tried to submit the code via this form.
Don’t know if it made it too you or not.
#13 by Ares on January 5th, 2010
Quote
No, it didn’t. You may want to use the contact form to do it, or you may want to explain what is going on.
#14 by saeed on May 10th, 2010
Quote
tnx, but your wp-login code has problem :
change “&&” to “&&”
#15 by Ares on May 10th, 2010
Quote
Yes, that is what it is meant to be, but apparently wordpress makes you change it for sanitation. I will find a way to correct it.
Thanks
#16 by kevin on June 26th, 2010
Quote
I just attempted to do this and it did not work. I deleted what I did and now I am no longer super admin of my website. How in the world do I become super admin again?
#17 by Ares on June 26th, 2010
Quote
Kevin,
What do you mean that you are no longer super admin? This has nothing to do with user rights. What version of wordpress are you using? and who is your host?
#18 by kevin on June 26th, 2010
Quote
WordPress 3.0, buddypress 1.2.4 wpmu enabled. After I deleted the code I logged into my wp-admin panel and all of my super admin permissions were gone. I check my account under user accounts and saw that I was now an administrator. No longer super admin.
#19 by Ares on June 26th, 2010
Quote
Kevin,
I upgraded to WP 3.0, enabled multi-site, and applied the patch again with no problems. First I got confused because I visited sites after applying the patch and I didn’t see the “Super-Admin”, but then I visited the “Users” section and I saw it there. This patch doesn’t touch the database at all, so I am pretty confident that this patch is not the cause of your issue.
Also, I discovered that logging out is different in WP3 so I had to modify the script a bit. I will update the post later on to reflect those changes.
#20 by kevin on June 26th, 2010
Quote
Hostgator is host
#21 by Chase on July 11th, 2010
Quote
Another way to secure the wp-admin is to just go into your hosting cpanel (presuming the system being used) and set up your /wp-admin as a password protected directory… that way, all you get is this: http://www.oftheway.com/wp-admin
God Bless!
Chase
#22 by Ares on July 11th, 2010
Quote
Yes, you can also make your wp-admin folder .htaccess password protected but that it is still prone to attacks (trial and error). The advantage of this method is that you don’t actually show the door to the backend, or wordpress specifics hacks.
Thanks for stopping by.