Donkeys and Elephants and Delegates,oh my!
Check out the most popular
Don't get hacked, protect your Wordpress wp-admin folder
reubenyau.com — Graywolf and stuntdbl's blogs got defaced recently by someone accessing files in the wp-admin folder. Find out how to protect your wp-admin folder with a .htacess file.
pittbug- 808 diggs
- digg it
- Skitzzo, on 10/12/2007, -2/+5Man pittbug, yesterday you give us more Google stats, now this. You're on a roll man!
- pittbug, on 10/12/2007, -2/+2If this is the only means by which this 'pirate' can probe and gain access to Wordpress blogs, then this should definitely stop him/her.
- Redscowl, on 10/12/2007, -2/+4I love simple solutions to icky problems. Tx dude.
- llbbl, on 10/12/2007, -2/+23Restricting it by IP address isn't a good solution for many people because 1) Don't have static IP. or 2) Edit their sites from multiple computers. It is a good attempt, but not worth the problems it going to cause for people.
- fflush, on 10/12/2007, -3/+11@llbbl
exactly. this is a very stupid solution. I have no idea why this is being dugg. - samanathon, on 10/12/2007, -3/+1Yeah, that doesn't help me either. We could use the DynDNS updater but that is just another step . . .
- fflush, on 10/12/2007, -3/+4[continued, i was too slow with the editing]
@llbbl
exactly. this is a very stupid solution. I have no idea why this is being dugg. Not to mention that editing the .htaccess file is common knowledge, if this is considered a solution to wordpress's vulnerabilities, you might as well consider it a solution for all web application vulnerabilities. Yeah! Let's lock everyone out but meee! What about other contributors?
I think the real solution is to stop being so damn lazy and update your website when you notice that there's a critical vulnerability announced.
sigh. - feralkid, on 10/12/2007, -0/+1If that doesn't work for you why not use password authentication instead of restricting access by IP address? It will require you to authenticate with the web server itself, not just the application.
And also, why whine when you could think up an alternative? Oh I know, because whining is easier. A solution to a problem might not suit you, but it might suit other people. I know I only access the administrative functions of my wp blog from my home network, and my IP address is relatively static so it works OK for me. I've had to change it once in 18 months. Big, fleshy deal. - spyrochaete, on 10/12/2007, -0/+1.htpasswd and .htaccess would make much more sense
- xenixninja, on 10/12/2007, -0/+2It's so easy to point out a "problem" without giving a solution to it.
And if you're too lazy to update your htaccess file, then I wonder how you have the energy to write a comment like that. - Skitzzo, on 10/12/2007, -0/+1you can code in a range of IP's though. For example, my IP is not static but I always stay within a certain range. So, unless someone in that same range was also a hacker, I'd be fine.
- fflush, on 10/12/2007, -3/+11@llbbl
- nuglobe, on 10/12/2007, -2/+1Can you used 209.59.XXX.XXX to create a wildcard for the last two octaves, or will that not work?
- tavisjohn, on 10/12/2007, -0/+1Or just use an HTACCESS file to password lock the admin folder. However you will want to use a different username/password combination than you use on your WordPress.
- dopesick, on 10/12/2007, -1/+1@ tavisjohn
Many people are unaware of what a .htaccess file can truely do. Especailly the first time web-admin. - ajaydsouza, on 10/12/2007, -0/+3You don't use a wildcard, instead you just put it upto 127.0.0 or 127.0 etc.
However it means you are opening it up to everyone on your network i.e. anyone who can get that dynamic IP - ear1grey, on 10/12/2007, -0/+1The concept is right but your syntax is wrong, for the octave you need to do something like:
Deny do.re.mi.(fa|so|la|ti|do)
- MasteRR, on 10/12/2007, -0/+5.htaccess has so many more uses than limiting by IP address. You could password protect it, which may be a better solution for those with dynamic IP addresses.
It is useful for other things besides Wordpress, too.
http://en.wikipedia.org/wiki/.htaccess- nuglobe, on 10/12/2007, -1/+1Its a obvious place to look for more info, but it didnt cross my mind. Thanks
- MasteRR, on 10/12/2007, -0/+1A bit more info on .htaccess:
http://httpd.apache.org/docs/2.2/howto/htaccess.html
- bfdhud, on 10/12/2007, -10/+1I hate to sound stupid, but just don't blog.
- Skitzzo, on 10/12/2007, -0/+2"I hate to sound stupid" - bfdhud
Then don't speak.
- Skitzzo, on 10/12/2007, -0/+2"I hate to sound stupid" - bfdhud
- Brajeshwar, on 10/12/2007, -0/+2You mean nobody did this before. Hmmm, I've been using .htaccess to protect non-public directories (but located at public access area) for ages. Btw, Do not forgot to protect the .htaccess file itself too by putting these codes in the .htaccess file itself.
order allow,deny
deny from all - damienpassehl, on 10/12/2007, -0/+1Here are the pictures of what the vandal did.
http://digg.com/security/What_The_Word_Press_Hacker_Left_Behind_Picture_Of_The_Hacked_Sites - Brajeshwar, on 10/12/2007, -0/+2Opps the codes don't come up.
+Files .htaccess+
order allow,deny
deny from all
+/Files+
Replace + with < and > appropriately - Brajeshwar, on 10/12/2007, -0/+2Also most Web Host will give you a GUI interface to do this directory protection in an Easy Way.
- tomi, on 10/12/2007, -0/+1When you're using a .htaccess IP restriction, can you use dyndns address instead of an ip address, or would it not be recognized? I've always wondered that...
- GaffleSnipe, on 10/12/2007, -1/+3Can some explain how to do this to a graphic designer?
I copy the code into a text file and save it as?.....
file extension?
Help? I'm clueless here, but I want to be protected too!- noerrorsfound, on 10/12/2007, -0/+1The best solution would be to upgrade WordPress to version 2.0.7 which fixes the vulnerability.
- mutatron, on 10/12/2007, -1/+1If you're using CPanel on a hosting service and you have a dynamic IP so you can't use the above solution, do this:
1. Click on "Web Protect".
2. Navigate to the folder you want to password protect.
3. Click on the name of the folder you want to protect.
4. Add a user with a password.
5. Check the password protect box and name the protection something like "Protected".
6. Click on "Save".
CPanel creates all the necessary files for you where they're supposed to be. - penagate, on 10/12/2007, -2/+2And this is a perfect example why you should always edit critical files through FTP and block all access to them through HTTP.
- machinder, on 10/12/2007, -0/+2There are two problems with this. First, you're not editing files in wp-admin, you're submitting data to your database through a form. You can't do this through FTP. Secondly, FTP is very insecure, and its trivial to sniff a username and password if you know and FTP session is taking place. Many clients create multiple simultaneous connections when going through your queue, so your username and password are sent several times.
If you're editing files on your host you should use SSH or SFTP. You can also use SSHFS if you're on a system that supports it. If you want to secure an admin directory, the best way is the method above or HTTP authentication paired with a self-signed SSL certificate. If you've got that, you could also do WebDAV over HTTPS.
- machinder, on 10/12/2007, -0/+2There are two problems with this. First, you're not editing files in wp-admin, you're submitting data to your database through a form. You can't do this through FTP. Secondly, FTP is very insecure, and its trivial to sniff a username and password if you know and FTP session is taking place. Many clients create multiple simultaneous connections when going through your queue, so your username and password are sent several times.
- V3RT1G0LMI, on 10/12/2007, -2/+1...or you can just update to 2.1.7...
- Shorthouse, on 10/12/2007, -0/+3Or 2.0.7 according to http://wordpress.org/download/
- Shorthouse, on 10/12/2007, -0/+3Or 2.0.7 according to http://wordpress.org/download/
- noamsml, on 10/12/2007, -1/+1Unfortunately, it only works if you have a static IP address (oh, how I wish I had one!)
- xenixninja, on 10/12/2007, -1/+1w00t! Your IP changes every second? Or are you just too lazy to change your htaccess file?
- Zorlak, on 10/12/2007, -0/+2I think it is a clever fix, personally.
Sure, it is easy to about it, because it has a few cons here and there, but PLEASE stop and think...
Maybe, just maybe, a person can not upgrade their site on a whim to fix security issues... What if, for example, you use critical plug-ins that aren't supported by the newest "secure" version? What if, for example, I don't have the time to do a full upgrade because I am busy running a business and I need to put off the upgrade for a few days. SERIOUSLY, DO PEOPLE NOT THINK?! A quick fix like this is VERY useful for many different types of people.
"It will create more problems than it will solve" - Are you stupid? Which is worse, getting hacked, or having to spend a few extra minutes adding a new IP to your .htaccess file?
This is NOT a solution to wordpress hacks, but it is an EXCELLENT temporary fix! I wish people would give credit where credit is due. Seriously, stop and think for just a few seconds... This article might actually be helping someone who has different needs. :) /rant
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2008 —
Content posted by