Protecting Admin

Maybe protect it but assign it a different username and password than everything else.

Thanks Matt, how would I do that?
I tried to put it in a seperate directory and .htaccess that, but, it gave me a lot of errors as everything was pointing to where it should have been.
I’m talking about wp-admin. Is there another way to do this?

I used an .htaccess file to protect almost everything in my wordpress directories… including the admin one so in order to post or access the back end at all, you have to login to the web site first. Works like a charm.
On the subject of hacking, it might be prudent (if this was a well done hack and not just someone with an easily guessable password) to PRIVATELY email the WP dev team and let them know how it happened. Perhaps they can fix the code for the next version if it is, indeed, something they can do.

Yup, that’s what it was, thanks Ocean!! Too cool!

I created a tutorial for this. You can find that here.
Hopefully this will help other people from getting hacked like my friend. ??

Basic Auth sends your userID and password with every single HTTP header. Basic Auth without SSL sends them in the clear.
I’m not disputing the usefulness of this tip, I’d just like to understand exactly what problem is being solved. Thanks!

The copyright statement on top of the tutorial is forbidding!
Anon, she just wants to make sure no one without the password can access the wp folders.

I understand, but you already have to be logged in with a password to get to any of the PHP files in that folder anyway. It looks like you could load up the .js or .css files there, but those won’t tell you anything. Or am I missing some other dangerous files (I didn’t try all of them) that are accessible without a login?

*LOL* 2fargon! You like that copyright thing??!! Too funny.
One of my friends, anon (please register here, it’s free y’know ;)) had her wp-admin backend hacked into by a pRon hacker and hijacked it. I don’t want to know why or how, I just wanted to prevent it from happening to myself and to others. ??

Sigh. I do want to know how. I’m a web programmer and sometimes site administrator myself, so learning what is possible and what isn’t is both useful and vital to me. It’s also important that people (myself included) understand what kind of protection really is useful and what isn’t.
I personally can’t yet see any significant improvement that adding basic auth protection of the wp-admin directory offers, but I’m interested to see what I might be missing.
As far as registering, I know it’s easy to do. It’s just that I already have probably over 100 userIDs and passwords all over the web for sites that require them. Since this site doesn’t, I haven’t been compelled to create yet another one.
Doug

No significant improvements? It’s another layer someone has to get through in order to get into the system. First, you have to get access to the directory, THEN you have to get access to the WP backend. Of course, it’s not as secure as using a password that changes every 15mins, but we can’t all afford secure IDs for a stupid little blog. ??

I blogged about this the other day.
I have yet to see, when I have asked for ftp / cpanel / blog details, any decent passwords. They are inevitably a birthday, a pet name, or even the persons name and age. Hardly difficult to guess.
Sure a determined hacker may have more tools and knowledge at their disposal, but any (almost) site is vulnerable. The motivation behind the hacking of a blog is purely guesswork, unless it is someone known to the blogger ? And if that is the case, the password examples I gave aren’t going to hold people back for long.
Use secure passwords – simple as that, and have different ones for your blog, your ftp, cpanel and mysql.