Hiding, Securing & Changing WP-Admin
Number of comments: 14
Your wordpress installation may not be secure
Once an open source system becomes so popular as wordpress very often it becomes vulnerable to attacks. I wonder why the folks at wordpress have not done anything to enhance the security of the admin site, which, by default, you can access by going to /wp-admin.
The problem is that if you rename the directory then your wordpress installation becomes broken. I’ve looked and I could not find a plug-in that would let you change the wp-admin folder to something else, or at least conceal it. The only result that I found about how to do this is by Michi Kono. However the solution proposed has a few drawbacks like some links no longer working. Of course you have the option of restricting access to selected IP addresses via .htaccess but if you are like most non-commercial internet subscribers you don’t have a static IP, which makes things more complicated.
So here is another solution to make wordpress more secure while keeping all wordpress functionality.
The first thing we need to do is to pick what “name” we want for your admin section. For purposes of this “tutorial” we will call it “secure-login”.
Note: You are about to modify crucial files in your wordpress installation. So do this at your own risk, and please, please backup your files before you do this.
Now, open your .htaccess file and add the following line after the “RewriteBase ” line.
RewriteRule ^secure-login$ wp-admin.php [L]
so your .htaccess should look something like this.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^secure-login$ wp-login.php [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
This tells your server that when you ask for “secure-login” you should be taken to wp-login.php
Now we need to edit wp-login.php which is located at the root of your installation. Add this before anything else.
session_start(); //See what file is being requested by the web client, also store the arguments just in case. list($file,$arguments) = explode("?", $_SERVER['REQUEST_URI']); //if the user just logged out, destroy this session and redirect them to root if("/wp-login.php?loggedout=true" == $file ."?" .$arguments) { session_destroy(); header("location: /"); } //If our sentinel variable is set and true do nothing, allow normal script execution if(isset($_SESSION['valid_entrance']) && $_SESSION['valid_entrance'] == true) { /* As they say, "Silence is golden" */ } //Now if the user is requesting wp-login.php and our sentinel is not true, redirect the "attacker" to root. elseif($file == "/wp-login.php" && !isset($_SESSION['valid_entrance'])) { header("Location: /"); exit(); } //If the user is requesting the right login entrance set the sentinel to true elseif ($file == "/secure-login") { $_SESSION['valid_entrance'] = true; }
That’s all you need to do. Your wordpress installation just became more secure. Don’t forget to upload your updated files to your server.
I may do a plug-in whenever I find the time.
I would also recommend using Login Lockdown by Michael VanDeMar.
Let me know if you have any questions or recommendations for this
Related posts:
#1 by Paplesystelay on October 1st, 2009
Quote
Hello! Repentant klooper notwithstanding my english jer, buti very nice re say gJ$)Kd!!!.
#2 by china wholesale on October 10th, 2009
Quote
This is really cool, and I cannot wait to try it. I will have to spread the word.
#3 by Joe on October 28th, 2009
Quote
Great info, thank you! I will be giving this a try in the next few days.
#4 by Ares on October 28th, 2009
Quote
Good, let us know how that goes.
#5 by WPnoob on October 30th, 2009
Quote
How can I get rid of the following:
Notice: Undefined offset: 1 in C:\wamp\www\ewcsa\html\wp-login.php on line 5
using WP 2.8.5 any help greatly appreciated.
This is working fantastically btw!
#6 by Ares on October 30th, 2009
Quote
Well, line 5 on my wp-login.html shows as a comment. Can you show me the first 20 lines or so of your wp-login to know what is going on?
Thanks.
#7 by WPnoob on October 30th, 2009
Quote
I tried to submit the code via this form.
Don’t know if it made it too you or not.
#8 by Ares on October 30th, 2009
Quote
Use a service like Code Dumper and just post the link to it. That will be easier.
#9 by WPnoob on October 31st, 2009
Quote
http://codedumper.com/amaqa
Thx. Looking forward to response.
#10 by Ares on October 31st, 2009
Quote
It seems like you are not sending any arguments to the login page, It’s not big deal, just add an @ in front of list so line 5 looks like this
@list($file,$arguments) = explode(“?”, $_SERVER['REQUEST_URI']);
Basically you are just ignoring the warning. That’s what the @ sign does.
That should take care of it.
Let me know how it goes.
#11 by WPnoob on October 31st, 2009
Quote
Thanks!
Curious, am I supposed to be passing arguments to the login page?
Love this technique for securing wp-admin. Absolutely awesome. Thank you.
#12 by Ares on November 2nd, 2009
Quote
Wordpress sends some parameters to the login page to reset passwords, register, and so on. So in this way of doing it we save those arguments no to break other wordpress functionality.
Thats why
#13 by chinese wholesalers on December 16th, 2009
Quote
I tried to submit the code via this form.
Don’t know if it made it too you or not.
#14 by Ares on January 5th, 2010
Quote
No, it didn’t. You may want to use the contact form to do it, or you may want to explain what is going on.