Protecting the admin directory
Video: Protecting the admin directoryIn this screencast, we improve security by preventing unwanted access to the WordPress Admin directory. We do this using a small slice of htaccess code, which provides strong, flexible protection against malicious behavior. Here we are in our FTP/file editor, looking at the files in our default WordPress installation. Here is the directory that we want to protect, wp-admin, mostly because it contains a plethora of sensitive functionality.
- Next steps
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Protecting the admin directory
In this screencast, we improve security by preventing unwanted access to the WordPress Admin directory. We do this using a small slice of htaccess code, which provides strong, flexible protection against malicious behavior. Here we are in our FTP/file editor, looking at the files in our default WordPress installation. Here is the directory that we want to protect, wp-admin, mostly because it contains a plethora of sensitive functionality.
To secure this directory, grab a copy of the blank htaccess file included in the resource files with this screencast and paste it into this wp-admin directory, as seen here. Next, open the file and then copy and paste the following code, which is also included with this screencast. Before uploading the htaccess file, we want to edit the IP address in the Allow from line to match our own.
Your IP information is readily available online, so just do a quick search for 'what's my IP?' and then click on one of the results. Go ahead and copy, return to the htaccess file, and paste that IP address into place, like so. Then save and upload the file to your server. And now, with that, all requests that are not from my IP address are going to be denied access to anything in the Admin area.
To see this, let's visit the site from a proxy server. There are many available online. Just do a quick search for proxy and pick your favorite. Here is a random 'proxy' that seems to be working. So let's try accessing our wp-admin directory by entering our URL in the Web Address field. Click on the Go button to see the results. Here at the top, we see that the remote server has returned a (403) Forbidden error, which is just what we want.
That means that we were denied access to the Admin area, so the htaccess protection that we uploaded here is working great. But do we still have access from our own address? Let's check by requesting the same page from our whitelisted IP address and sure enough, here is the Login page for our Admin area. We do have access. We're all set now, but there are a couple of things to keep in mind. First, if you aren't able to work with htaccess files, you may want to check with your web host.
On most setups these days, it's pretty easy to password-protect directories from your server control panel. And lastly, you can always add other IP addresses and allow access, like so. Simply copy and replicate the line and replace the IP address with any IP address, such as a mobile device or a different computer from which you would like to access the Admin area. Whatever it is, enter the IP address there and then upload to your server.
You may replicate this pattern as many times as necessary to account for as many IP addresses as you would like. In this screencast, we better secured the WordPress Admin area by protecting the files in the WordPress Admin directory, which is a very critical part of any WordPress site.
There are currently no FAQs about WordPress 3: Developing Secure Sites.